Merger and acquisition (M&A) activity hit a record high in 2021 of more than $5 trillion in global volume. While the market has certainly slowed this year, it remains on par with pre-pandemic levels — quite a feat at a time of business uncertainty and inflation. But when it comes to corporate deal-making, risk lurks around every corner. The potential for overpaying, miscalculating synergies and missing potentially serious deficiencies in a target company is high.
With so much at stake, information is power. But while plenty of focus is centered on gathering financials, reviewing contracts, picking through insurance details and more, insight into IT risk may be harder to come by. Acquiring organizations need a rapid, accurate way to assess and map all of the endpoint assets in a target company, and then work quickly post-completion to assess and manage cyber risk.
The need for visibility
M&A deal volume may have fallen 12% year on year in early 2022, but the market remains bullish, driven by cash-rich private equity firms that are sitting on trillions of dollars, according to McKinsey. Still, security and IT operations are a growing concern for those with money to spend. It’s extremely rare for both sides of a deal to have similar standards for cybersecurity, asset management and key IT policies. That disconnect can cause major problems down the road.
Due diligence is therefore a critical step; enabling acquiring firms to spot potential opportunities for cost savings and synergies, whilst also understanding how risky a purchase a company may be. It benefits both sides. If an acquirer is unable to gain assurances around risk levels, they could theoretically call a deal off, or lower the offered acquisition price. Should they press on regardless, the organization may experience significant unforeseen problems trying to merge IT systems. Or it might unwittingly take on risk that erodes deal value over time – such as an undiscovered security breach that leads to customer class action suits, regulatory fines and reputational damage.
These concerns are far from theoretical. After the discovery of historic data breaches at Yahoo, Verizon’s purchase price of the internet pioneer was adjusted down by $350m, or around 7% of deal size, back in 2017. Marriott International was not so lucky when it bought hotel giant Starwood. It wasn’t until September 2018, two years after the acquisition and four years after the initial security breach, that an unauthorized intrusion was finally discovered. The breach turned out to be one of the biggest to date, impacting over 380 million customers, and led to an £18.4m ($21m) fine from the UK’s data protection regulator.
Getting due diligence right
In an ideal world, CIOs would be involved in M&A activity from the very start, asking the right questions and providing counsel to the CEO and senior leadership team on whether to proceed with a target. However, the truth is that this isn’t always the case. Such is the secrecy of deal-making that negotiations are usually limited to a small handful of executives, leaving some bosses on the outside.
The best way CIOs can rectify this is to proactively educate senior executives about the importance of information security due diligence during M&A. If they succeed in embedding a security-by-design culture at the very top of the organization, those executives should be able to ask the right questions of targeted companies, to judge their level of risk exposure early on. They may even be inclined to invite the CIO in to help.
For most organizations, however, the first critical point at which due diligence can be applied is after an acquisition has been announced. This is where the acquiring company must gather as much information as possible to better understand risk levels and opportunities for cost reduction and efficiencies. SOC 2 compliance would make things run much smoother, providing useful insight into the level of security maturity at an acquired firm. But more likely than not, the acquiring company’s CIO will need to rely on their own processes.
Visibility is everything. They need accurate, current data on every single endpoint in the corporate environment, plus granular detail on what software is running on each asset and where there are unpatched vulnerabilities and misconfigurations. That’s easier said than done, and most current tools on the market struggle to provide answers to these questions across the virtual machines, containers, cloud servers, home working laptops and office-based equipment that run the modern enterprise. Even if they are able to provide full coverage, these tools may take days or weeks to deliver results, by which time the information is out of date.
Managing post-deal risk
The second opportunity for the CIO is once contracts are signed. Now it’s time to use a unified endpoint management platform to deliver a fast, accurate risk assessment of the acquired company’s IT environment. By inventorying all hardware and software assets, they can develop a machine and license consolidation strategy, eliminating redundant or duplicated software. The same tools should also enable CIOs to distribute new applications to the acquired company, scan for unmanaged endpoints, find and remediate any problems, and enhance IT hygiene across the board.
M&A is a high-risk, high-pressure world. By prioritizing endpoint visibility and control at every stage of a deal, organizations stand the best chance of preserving business value, reducing cyber risk and optimizing ROI.
Learn more about how Tanium can help manage risk and increase business value during mergers and acquisitions.
Risk Management