In an effort to avoid ‘buying a breach’ Australian companies are paying more attention to the cyber resilience of the firms they want to acquire, according to new research for Forescout Technologies.
The study, The Role of Cybersecurity in M&A Diligence, surveyed more than 2,700 IT and business decision makers across the United States, France, United Kingdom, Germany, Australia, Singapore and India to examine the growing concern of cyber risks and the importance of cyber assessment during M&A and the subsequent integration process.
The report found cybersecurity risk is a growing concern to both IT and business decision makers during M&A and integration. This finding supports a prediction from Gartner that, by 2022 60 per cent of organisations engaging in M&A activity will consider cybersecurity posture as a critical factor in their due diligence process, up from less than 5 per cent today.
According to the survey, 73 per cent of Australian respondents agree that they are putting more of a focus on a target’s cybersecurity posture than in the past.
And 40 per cent of Australian respondents report that their organisation has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal in jeopardy.
However, just 31 per cent strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes and protocols before their company acquires another company.
The report notes that while contracts can include claw back clauses, once two systems are connected the damage caused by malware has already been done.
The research underscores a growing body of research that cyber security weaknesses hurt company’s financial performance.
61 per cent report that their companies experienced buyers remorse after closing an M&A deal due to cybersecurity concerns. Cybersecurity concerns discovered after a deal is finalised often present costly risks that would have been factored into the deal negotiations and/or may have led to the dissolution of the deal.
For example, Yahoo’s acquisition price was cut by $350 million following disclosure of two enormous security breach disclosures.
“M&A activity can be a game-changing moment in a company’s history, but recent breaches shine the spotlight on cybersecurity issues and make one thing abundantly clear: you don’t just acquire a company, but you also acquire its cybersecurity posture and a potential trojan horse,” said Julie Cullivan, chief technology and people officer, Forescout.
“Cybersecurity assessments need to play a greater role in M&A due diligence to avoid ‘buying a breach.’ It’s nearly impossible to assess every asset before signing a deal, but it’s important to perform cyber due diligence prior to the acquisition and continually throughout the integration process.”