Despite the increasing economic challenges brought on by inflation and international political unrest, mergers and acquisitions (M&As) in the financial services sector keep growing. The number of M&A transactions in the banking industry increased by 89% in 2021, with an average deal value of USD 693 million.
M&As are generally complex and resource-intensive processes. The two companies’ activities are combined, as are their finances, assets, human resources, and compliance frameworks. Evaluating and integrating these factors can be tricky when they are digitally connected.
It’s critical to realise that various financial institutions operate inside diverse IT ecologies. Their size, markets, product or service offerings, and budgets frequently significantly impact the solutions, tools, and network infrastructures they use. Without a thorough analysis of these unique IT infrastructures, an M&A may expose both businesses to higher security risks.
What are these dangers, and how do businesses fail to conduct adequate cyber due diligence before an M&A?
The two factors most likely contributing to security concerns in an M&A project are complexity and lack of visibility. Integrating various IT systems can make managing network security more difficult without clearly defined policies and procedures. What personnel, for instance, have access to resources across multiple systems? What is the process for cross-platform communication? And how will resources be distributed concurrently among the many systems of the combined organisations?
Databases and network systems that are isolated or poorly linked can also leave holes for threat actors to exploit, leading to sophisticated cyber-attacks and security lapses.
During the M&A process, there is also a considerable danger of inheriting a data breach. As a result, current M&A projects now routinely include cybersecurity evaluation. However, it is frequently just done on internal network components. For instance, financial organisations might assess a firm’s internal security policies and procedures, but they often overlook the possibility of vulnerabilities outside of a firm’s guarded network perimeter.
Even with the most acceptable security measures and tools, organisations likely already have vulnerabilities in their attack surface that might lead to data leaks or stolen passwords. Attack surfaces are exposed, and data leaks don’t always occur for nefarious reasons. Almost 88% of all data breaches are the result of employee error.
Therefore, if organisations don’t assess the external threats, they risk stepping into a data breach that has already occurred and waiting for a threat actor to exploit it. In actuality, threat actors approach infiltrating these access ports from the outside, which is the best method for evaluating a company’s level of risk exposure over an external attack surface.
Due diligence is crucial
According to Gartner, nearly 60% of purchasing organisations do not presently use cybersecurity exposure assessments. It is problematic since businesses will exchange significant assets and data before and during an acquisition. As a result, the acquired company’s exposed data and open attack surface will invariably expose the acquiring corporation to more danger.
Organisations need a thorough and current understanding of the target company’s security posture for an M&A deal to be successful. Firms need to be aware of the real risks related to the company being bought; simply knowing what tools and technologies are in use is insufficient.
Acquiring organisations should implement sophisticated due diligence frameworks. For example, they should use assessment tools that offer recommendations for improvement in addition to a rating based on security policies and procedures and a landscape picture of present risk exposures. It’s also crucial to evaluate how the target company’s security posture stacks up against that of other financial sector companies.
What standard procedure does your company follow when a security breach occurs? What happens after the danger is identified? How do you conduct security testing at your company?
If answering these questions is difficult, you must strengthen your security posture.
How secure are you, and why does that matter?
It has been said that your security posture measures your organisation’s cybersecurity practices and level of preparedness for an attack.
Your organisation and apps are protected from attacks and vulnerabilities if you have solid security procedures. However, IT teams and practitioners must prioritise improving their security posture in a world where bad actors can continually compromise critical data.
Finding out how secure you are
Your firm’s level of risk directly relates to how robust your security posture is. The danger you encounter decreases when you strengthen your security posture to make it the best it can be. By addressing the issue, you can start to lower the risk as soon as you take measures to examine the condition of your company’s security posture. Knowing what is wrong will enable you to take the necessary steps to remedy it before assessing your security posture.
Many security tools include evaluations and questionnaires to assist firms in determining their security posture. These assessments aid in assessing the degree of risk and weakness your assets are exposed to, allowing you to rank changes in terms of their seriousness. Your security posture will be more affected by some changes and modifications to security procedures. Therefore, it’s crucial to focus on those initially.
How to strengthen your security stance?
Make a security analysis
The first step in enhancing security posture should always be risk assessment because it gives you a comprehensive understanding of the security situation at your company. It will be helpful to complete a cybersecurity risk assessment to find all potential vulnerabilities across all assets. Your company’s most crucial IT assets, the possibility of an exploit, the possible consequences of a data breach, and other information are all revealed by a risk assessment. To understand the worth of the information in the event of a violation, you must go through this exercise. Security technologies can perform this assessment for you, but an internal security team can also conduct it.
Have a plan for handling incidents
To be proactive about your firm’s security, you must have an incident management plan. IT staff will be disoriented when a security breach happens and won’t know where to begin without an incident management plan. The time it takes to remediate in the future can be shortened by developing a set of actions to perform once a breach is discovered. A clear understanding of which teams will handle specific tasks during this event will improve communication and teamwork. You will strengthen your incident management plan over time by conducting a test breach to evaluate its efficacy.
In order of importance for business
The next stage is patching and remediating after identifying the risks and vulnerabilities your company is exposed to. Prioritising the threats that will impact your business can help you save time and money. Also, you will help efforts to set priorities by knowing how these risks and vulnerabilities will affect essential apps. Once you’ve mastered this procedure, you can begin implementing fixes and allocate your time and resources more effectively.
Adopt a DevSecOps strategy
Delaying security audits until the end of the quarter gives plenty of time for attacks and breaches. However, you can incorporate security into routine application monitoring by putting a security testing mechanism in place.
Static application security testing looks at your code to find weaknesses. Dynamic application security testing helps administrators find holes and vulnerabilities by placing them in the attacker’s shoes. SAST and DAST are combined in interactive application security testing, which uses software instrumentation (either active or passive) to track application performance. Real-time app data is used by runtime application self-protection to identify and stop threats as they happen.
Dismantle silos
Siloed IT teams put organisations at greater risk since they can’t appropriately interact with one another in the case of an attack. All groups will benefit from developing a collaborative culture as they learn how they are interconnected and how a breach impacts each team. Teams need to interact to understand how working together can help handle security concerns quickly and effectively rather than pointing fingers after data is compromised. Moving to a DevSecOps philosophy, where security is considered from the start of software development helps to promote effective team communication and strengthen a collaborative culture.
Automated threat identification and response
Modern applications include so much data that it is practically hard for administrators to stay on top of all potential hazards. There are many opportunities for human mistakes and security weaknesses when relying only on the admin. For app security to remain proactive rather than reactive, it is essential to incorporate technology that aids in automating the threat detection process. By integrating security into your application, RASP helps to automate the threat detection process so that the app can detect risks on its own and take appropriate action.
Update frequently as necessary
It would help if you allowed your security processes and tools to become stale to maintain a solid security posture. However, they must be continually updated and improved for the best outcomes. Because of this, security teams should be ready to make changes and adjustments often to keep up with new security technology and threats. In addition, IT and security teams should schedule these updates and reevaluations to ensure that bad actors can’t take advantage of out-of-date technologies.
By improving your company’s security posture, you can be sure that security won’t be neglected or treated as an afterthought. Whether the related risk is high or low, keeping cybersecurity in mind when integrating innovations into your applications will offer a layer of defence against threats and breaches.
What lies ahead?
As per a report from Deloitte, M&A activities, which witnessed a decline during the COVID period, will witness a strong revival from the 2022-23 financial year onwards. However, the narratives around threat actors and cyber security will play crucial roles in major deals, since any breach on the data security front can negatively influence market dynamics, competition, shareholder interest, business partners, etc.
While technology is playing an important role by not only enabling the M&A integration and driving the new business operating models, it is very much vulnerable to cyber attacks, and any such incident can slow down the company’s acquisition process.
The report also spoke in detail about the serious implications of not conducting a thorough diligence and tech audit before pulling off M&A deals by citing the 2017 example of an American telecommunications firm’s not-so-successful deal with a web services provider. The acquisition pact resulted in a whooping USD 350 million wipeout. The web services provider faced a data breach, thus compromising more than 1 billion customer accounts.
In April 2020, another pending merger deal had 5% of its total purchase price set aside to cover the potential fallout of a ransomware attack.
As per a Forescout survey report, 53% of the respondents stated that their organisations went through critical cyber security issues during the M&A process, thereby affecting the deals severely.
The Deloitte report, while acknowledging the disruptive nature of the technology assisting companies to evolve into new business models and upgrade their traditional business operations, also suggested that the corporate leadership must be vigilant in identifying dormant threats in the acquired infrastructure and implement effective mechanisms for mitigating them. Also, vulnerability identification should happen at the earliest to reduce the attack surface before they can harm the acquiring company.
They also identified two more concern areas haunting the M&A process. While the IT resources are overburdened in order to run a smooth integration between entities, the phenomenon is leading to extended periods of IT change gap, and subsequently, giving chances for threat actors to carry out significant damages.
While the acquiring and the target companies both have critical data in their repositories, the acquiring business must determine the cybersecurity posture of the target company to mitigate the risk of a data breach.
Then there are issues like a lack of cybersecurity artefacts, documentation and evidence, which pose a challenge during diligence checks before the M&A deal. This problem has been evident with small and medium-sized organisations (SMEs). At times, the acquiring businesses need to rely on the limited information available of the target company’s cyber landscape to make their decision.
Even after the M&A deal is done, still the acquisition risk exposure is high during the transition phase for both the organisations involved due to the possibilities of open networks that support integration activities.
Sometimes, companies prefer full hybrid integration, but this too becomes challenging when trying to integrate new disruptive technologies with legacy ones. In this case, the main roadblock comes in the form of a difference in the infrastructure, which might also pose incompatibility and scalability challenges when integrating the applications and systems.
Even after acquirers conduct a questionnaire survey and penetration testing to understand the target company’s risks and issues, the methods only provide a snapshot in time and do not reveal any historical background.
During integration, unclear roles and responsibilities, disgruntled employees, modifications in the operating model, language barriers, and changes in location also become a challenge.
Some scary statistics
Talking about cyber security and hacking attacks at the enterprise level, since 2021, the tally is growing. As per a Forbes report, recent numbers of such incidents are somewhere around 500 million (at the global level). In 2021, out of the total number of entities attacked, 16% were hacked once, but 60% were hacked more than two times. In September 2022 alone, hackers successfully gained access to and compromised 35 million files, targeting companies’ “crown jewels” or crucial data like flagship assets and other highly sensitive files.
Breaches caused by ransomware have increased both in number (by 41% in 2022 alone) and in cost. After these breaches, the attackers are requesting a hefty amount of money in exchange for a company’s stolen assets, files, data, or systems. Over USD 800,000 were paid by businesses per attack in 2021. The same number was closer to USD 500 in 2016. The total cost to companies for the entire recovery effort is now averaging USD 1.4 million. Small businesses have also been significantly impacted, as some 43% of these data thefts involve these MSMEs, leading 60% of these businesses to file for bankruptcy within six months of the attack.
Cybercrime is now expected to amount to 1-2% of the global GDP/USD 1-2 trillion and it will grow further.
Mark Warner, head of the U.S. Select Committee on Intelligence, has said that the United States loses some USD 600 billion annually in Intellectual Property theft. It is becoming more difficult to safeguard an enterprise from ransomware attacks, and business leaders need to take note of that. It’s high time they put cyber security as the top priority, while pulling off M&A deals.