Header image

DealTech: M&A professionals need to consider cybersecurity risks

M&A professionals need to consider cybersecurity risks as they execute deals, according to experts speaking at Mergermarket's Global M&A Conversation.

There are risks to M&A deals as due diligence involves the sharing of confidential information, Mari Nygård, Head of Virtual Data Rooms (VDRs) at Admincontrol, told the Protecting a Deal panel. 

In the world of cybersecurity, the threat landscape is moving and evolving at a very fast pace, said Jason Richards, Hg Head of Portfolio Technology and Cybersecurity. Organized crime gangs are emerging and operating along the lines of a modern-day business and they hire business experts, not just technicians, to find out what is important at a company, he added.

The most recent World Economic Forum Global Risk Report included cybersecurity in the list of top 10 risks by likelihood, Richards said.

Cyber-criminals are becoming increasingly more professional and wait for the ideal time to attack, for example after a target is acquired by a large company, said Nygård. When a seller is preparing for an M&A deal, cybersecurity measures need to be taken into account that could affect the value of the company, she added.

These criminals are sophisticated organized crime gangs that do a lot of research and analysis, looking at social media and press reports to build an effective picture of the target company, Richards said. They quietly gather information and work out what is valuable and impactful and build up intelligence to see what hurts the most, he added. 

Criminals then extract information and may choose to initiate a ransomware attack, said Richardson. There is an increasing pattern of double extortion: seeking to receive a ransom payment for unencrypting devices and to prevent the release of the exfiltrated data that will hurt business, he said. 

Ransomware demands have grown to the millions, with some industry examples in the tens of millions, Richards said. 

M&A professionals need to be mindful of what they are collecting and storing and how well protected it is, said Richards. Building cyber diligence into the M&A process is important as it is a critical business risk, he added. Previous organization breaches, current level of maturity/posture and latent attacker threats are risks to consider, he noted. 

An M&A process moves fast and even though sometimes there’s little time to set off a request for proposal (RFP), care needs to be taken in who handles VDRs, said Nygård. In addition to elements such as ISO certification and GDPR compliance, the data room that is set up, needs to facilitate a secure digital process, she said. Multi-factor authentication and communicating within the platform instead of outside should be considered, she added. 

The biggest risk is lack of awareness, said Nygård, who added that there needs to be constant training on the risks. 

In an M&A process, an acquiring company puts a lot of time and effort into the deal and wants to avoid surprises, said Richards. It’s like a suit of armour, which is only as good as its weakest link, he added. In addition to ransomware, extortion and IP theft are examples of other risks, he said.

It’s too much to ask individuals to figure out cybersecurity on their own, said Nygård, who urged M&A practitioners to talk to experts to identify risks and provide solutions. In an M&A process, dealmakers should empower their team to make secure decisions, she concluded.

Watch the full panel discussion.

Video Thumbnail

Join our community

Deals+ is a global network of M&A transaction professionals offering you access to exclusive events, networking and research. Join the community for free to enjoy the below benefits:

  • perm_contact_calendar Priority invitations to virtual and hybrid events
  • play_arrow Latest trend reports and market research
  • email Regular newsletter on the people shaping global M&A markets