Corporate Governance & Activism

The Cyber World Turns to M&A

Download a PDF of this article

Cybersecurity has become the predominant risk for boards and management teams to address over the past few years. Every day there is new information about evolving vulnerabilities, advancing threat actors and billions of dollars lost. As the cyber world evolves, it is increasingly clear that companies moving through a transaction could be the ideal targets. Corporate leaders need to consider why a deal can draw out bad actors, what risks this poses to the deal itself and how best to achieve success in the face of this new era of cyber threats.

Cyber Risk is Everywhere

It cannot be overstated how prevalent cyber risk has become for corporate America. A recent survey found that nearly two thirds of companies polled had been infected with ransomware in 2021. It is no surprise then that more than 80% of respondents indicated that they were concerned they would be vulnerable to an attack. Research shows that certain cyber attacks have risen 232% since 2019.

Most media will highlight ransomware attacks, making it feel as though that is the only type of cyber risk to consider. While the vivid imagery of a company being held ransom is compelling, it is far from the only risk. Throughout the transaction lifecycle there are all sorts of ways the process can be compromised. Spear phishing, business e-mail compromise, insider threats and digital extortion are other examples of situations that are prominent in mergers & acquisitions.

The Attraction to Transactions

To understand how M&A presents a unique opportunity to cyber threat actors you must first consider the typical aim of these groups: money and information. There are compelling reasons to capture both through every phase of the transaction lifecycle.

Step one is the initiation of a transaction process. This is a highly sensitive time for any organization as it carefully considers its future. Steady maintenance of the business is paramount to preserve optionality, valuation, negotiating leverage, risk identification and much more. This is especially true for private equity firms who have often spent years reshaping a business toward achieving an exit and realizing value for investors. This vital need for stability though only heightens the attractiveness for threat actors who recognize the premium well-funded players will put on stability.

Step two is the announcement of the transaction. Thankfully, once a deal is announced the near-term tensions cited above subside a bit. However, the universe of cyber risks only expands. While a transaction process is primarily private and confidential, a deal announcement is highly public. The massive spike in media attention on announcement day is effectively hanging a sign on your business that reads “change in progress, cyber attackers welcome”. Rolling forward to the close of the transaction and subsequent integration, the sign would then read “multiple systems in use, cyber attackers encouraged”.

Why is Cyber a Unique Risk?

This begs the question then on why cyber is such a unique risk for dealmakers. Executing a transaction has always come with the inherent risk that one of the businesses involved goes through an unexpected crisis. These traditional types of business disruption risk create clear costs and defined operational challenges. Most of all though, these risks are rare and relatively unexpected. You certainly don’t pursue a merger with the presumption one of the assets will explode.

That is where cyber is unique. Right now, it is so pervasive that companies would be well advised to presume it will be a real risk to mitigate. In fact, the FBI’s Cyber Division issued a Private Industry Notification (PIN) alerting market participants that significant financial events facilitate targeting and extortion of victims. That creates a series of issues for dealmakers to consider beyond the traditional cost and related business disruption of a traditional crisis matter.

When it comes to the transaction lifecycle, there are also particular risks around disclosure, loss of time and integration that these cyber events create.

How to Prepare

If dealmakers need to presume that cyber risk will occur in the transaction lifecycle, then how can you better integrate risk mitigation steps into the deal process?

First and foremost is an acknowledgement that most organizations remain poorly prepared. In fact, 56% of organizations do not have a cyber incident response plan, and only 32% think their plan is effective. In short, either you, your transaction partner or both have not fully considered how to respond to a cyber event, let alone how to do so within the framework of a deal. Companies that have a cyber specific crisis communications plan tend to manage stakeholder communications more successfully. Those who have stress tested their plans or conducted tabletop exercises fare far better. Dealmakers should also consider the following when looking to mitigate cyber risk
in a deal:

  • Due Diligence – Cyber due diligence is a rapidly emerging field. It is a must have on any transaction evaluation task list. However, that work should not simply go on a shelf waiting for the integration teams down the road. This due diligence is not identifying potential risks, it is creating an understanding of presumed risks for the deal team.
  • Culture of Cybersecurity – Unlike most crisis events, cyber is a risk that the entire deal team inherits, including advisers. Anyone made aware of the potential transaction becomes a potential vector of vulnerability. This calls for corporate leaders to instill a culture of good cyber risk hygiene at the start of the process. For example, think about the use of code names over email and text, considering where documents are stored and how documents are encrypted.
  • Leaks – For any large transaction, speculation in the press ahead of a deal announcement is basically a fact of life. This is particularly true for auction processes of PE assets. While there are pros and cons to this sort of media coverage, dealmakers need to start accounting for cyber risk in those calculations. If a story were to run, is the company and its advisers prepared for the attention it will draw from threat actors?
  • Rapid Response Plan – Any good transaction process will identify a rapid response plan that identifies potential leaks, activist comments, interloping bidders, etc. It is vital that these plans now incorporate potential cyber events during the transaction lifecycle. This includes a framework for how the acquirer, target and seller will communicate the attack and coordinate the response during the pendency of a deal.

The global pandemic has forced the rapid acceleration of technology adoption in every aspect of our lives. This unlocked incredible benefits, but brought with it a wave of new risks. The transaction world is no exception. It’s time to integrate the cyber conversation into the deal lifecycle.

 

Contact Us

To be added to the distribution list for FTI Consulting’s M&A and Activism Insights, or for further information on the dedicated U.S. M&A and Activism team at FTI Consulting, please contact [email protected].

The views expressed in this article are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.

©2022 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com

Related Articles

Predictions for Cybersecurity in 2024: Communications and Reputational Perspectives

March 7, 2024—What will the cybersecurity space look like in 2024? And what do companies need to do to ensure they are prepared from a...

Cybersecurity in Latin America: Cyber Threats Evolve in a Landscape of Incipient Resilience

January 25, 2024—Organizations in Latin America should not wait for regulators to impose cybersecurity readiness requirements, as prepara...

A Year of Elections in Latin America: Navigating Political Cycles, Seizing Long-term Opportunity

January 23, 2024—Around 4.2 billion people will go to the polls in 2024, in what many are calling the biggest electoral year in history.[...

ESG+ Newsletter – 28 March 2024

March 28, 2024—This week’s newsletter covers a number of EU-related developments, with back and forth on the merits of defence fundin...

FTI Consulting News Bytes – 28 March 2024

March 28, 2024—FTI Consulting News Bytes This week, we start by looking at Microsoft’s ongoing effort to set itself up for success as...

How communications strategies can minimise data breach penalties

March 28, 2024—Calculating the true cost of a data breach incident can be complicated, particularly as reputational damage to key stake...