Will Purchasing This Company Hurt Us?
With data breaches remaining a steady concern across industries, far too many Mergers & Acquisitions teams are ignoring information security as a key piece of data for decision making. How secure is the company potentially being merged with or acquired? What happens to the value of the target company if a breach occurs, or is discovered to have already happened? Could that company pose a security liability to whoever is merging with or acquiring it?
As a manager of Corporate Development & Strategy for a Fortune 1000 company, I was in a position to review offering memorandum and perform due diligence on hundreds of companies to various levels of detail. Most of our efforts focused on identifying markets, geographies, technologies, and strategic angles for the target company, all of which played a part in making an acquisition. Data was poured over for days. Financials were reviewed, audited, recast and recalculated in every way to determine if this was a good deal for us.
However, even with all of this analysis, when it came to IT, we usually only focused on what systems they were using and how hard it would be to integrate those into our company. To be honest, there was never much thought given to information security, or to the vulnerability of the target company to hackers or other technology risks.
With the number and extent of data breaches rising, it is clearly time that M&A teams place emphasis on determining the security posture of a target company as part of the due diligence process. No one wants to buy something that could lose all its value overnight. Neither does a secure company with all the right pieces in place want to give away that value, which is why this emphasis on security in the due diligence process is needed on both the Buy and Sell side.
SecureState has been assessing corporate risk and security for years. We work with our clients on a corporate level to understand their current security posture, then bring them to a desired level of security. With this experience, we can offer our expertise in assessing an acquisition target and determine their security maturity level and specific tactical and strategic fixes to improve it. We can even help identify the costs of improvement, and how it could affect your decision. We can tell you what the security risk looks like and how to translate that information into a point of negotiation in the sale process.
Our process, shown below, begins with a high-level approach for getting an overall feel for the various risks at the target company. The form this takes depends on the amount of information the M&A team wants. This higher level approach can be as simple as gathering the executives and important members of the security team at the target company for a whiteboard session to discuss risks and vulnerabilities, or as complex as a full risk assessment of the target company.
Once this high-level analysis is complete, we will work with the M&A team to identify industry specific security issues faced by the target company, and can provide a variety of services for understanding and addressing those services, based on the time available, the amount of information needed, and the overall funds available for this work. Energy companies have NERC-CIP requirements, healthcare companies need to be HIPAA, and anyone who takes and stores credit card information falls under the PCI-DSS requirements of the credit card and banking industry. Each one has specific and expensive security requirements. There are many ways to understand how a target company handles these issues, from early scans and test all the way to a full audit. The chart below shows a few of these methods, but we have many more at SecureState that we can customize to meet the needs of any M&A team.
M&A professionals seek to acquire companies at prices that reflect both their risk and growth potential, financially and otherwise, then either merge that company with their own assets, or sell that company at a higher price through value creation. Without a true understanding of the security posture of a target company, the risk of cybersecurity issues cannot be reflected in the price of the acquisition, and M&A teams cannot fully trust in the proper return on their investments. Full knowledge of the security posture of the target company is essential for making a better investment.