It’s time to put the diligence into your M&A due diligence
March 29, 2016
The headlines resulting from the Target/Fazio Mechanical Services and T-Mobile/Experian breaches have raised the awareness around third-party risks. Unfortunately, awareness doesn’t equal a security control and organizations must make a deliberate effort to pull their heads out of the sand and get better visibility into the risks they face.
Mergers and acquisitions (M&A) risk is a critical subset of broader third-party risk. According to Deloitte, global (M&A) activity reached record-breaking deal values in 2015 at over $4 trillion, with the resulting deals expected to add $1.5 to $1.9 trillion in value to these companies. In 2016, high levels of M&A activity are expected to continue.
While M&A can certainly add value, it can also detract from value as well. In 2011 Hewlett-Packard acquired British software maker Autonomy for $11.1 billion in what could be considered one of the worst corporate deals ever. HP had to write down $8.8 billion as a result of “serious accounting improprieties” that due diligence failed to uncover.
The Autonomy example illustrates the potential financial risks of M&A, but what are the cyber risks of M&A activity? From the exploitation of financial markets, to the theft of intellectual property, the M&A process provides significant opportunities for threat actors. In one public example, US Security and Exchange commission launched an investigation into the criminal activities of a threat actor group identified as FIN4 who was suspected of targeting public companies that provide M&A series including investor relations, legal counsel and investment banking.
In order to gain visibility into M&A risks associated and what you can do about them, you must first understand the M&A process (See Figure 1).
Figure 1: The M&A Process
Due diligence is a discrete stage in the M&A process, but in order to better under stand the risks, diligence must occur during all the stages. Proper due diligence must include having a better understanding of both the acquirer and acquiree’s digital footprints.
Connect with us
Get the Latest Threat Intelligence In Your Inbox
Stay connected with the latest from the Digital Shadows Intelligence TeamSubscribe Here