Unpleasant discoveries: Cybersecurity vulnerabilities uncovered

It’s every acquirer’s worst nightmare: you’ve spent countless hours vetting an M&A target, and after the deal goes through, you catch something. West Monroe Partners surveyed top-level corporate executives and private equity partners about their companies’ practices in order to better understand the state of cybersecurity diligence for M&A. The results provide a window into the trends that shape the diligence process, as well as insights into the ways it can be improved.

The company you acquired had data security vulnerabilities that no one spotted during due diligence. It's more common than you think, according to our survey results: 40% of respondents said they had discovered a problem after a deal went through.

Undisclosed data breaches, inadequate security frameworks and vulnerable cloud storage were among the issues found by respondents after concluding deals. In the case of one acquisition, a managing director at a media and communications-oriented PE firm said they uncovered extensive problems after the purchase. “There was a data security problem at one past target related to the number of users involved in handling data,” the PE managing director said. “We conducted an investigation and found that data had been exposed to intrusions by insiders as well as outsiders. There was no proper security framework adopted by the acquired company and they lacked a dedicated security system.”

Another respondent, a CFO at a B2B software firm, said that undiscovered cybersecurity problems at an acquired company “cost [them] heavily.” He said they had to spend a “fairly high amount of capital” to rectify the situation.

The costs associated with security issues found post-deal can extend beyond the resources needed to fix them; legal liabilities can enter the picture as well. In 2010, Disney bought a company called Playdom, a developer of online social network games, for US$563m. After the deal went through, the FTC alleged that Playdom had broken privacy protection rules for children and Disney ended up paying a US$3m settlement over the case.

Integrating data The priorities of cybersecurity diligence depend in part on a company’s integration plan for the target. In the case of a technology company making a data-centric acquisition – for example, IBM buying data firms to improve its Watson artificial intelligence product – the new information will need to be closely integrated. On the other hand, healthcare companies buying sensitive medical data may want to limit their potential liability by keeping a firm’s data outside their own system.

In many cases, the situation is not so black-and-white. A majority of our survey respondents (56%) said they prefer a combination of securely integrating select data from the acquired firm while keeping some isolated at the target. Thirty-seven percent said they preferred to integrate the new data securely into their own system, while 7% said they tended to leave it separate.

Many respondents said they brought data from acquired firms into their own systems in order to assess it properly, both in terms of value to the company and security vulnerabilities. “Our preferred method for treating the data acquired from a target firm is to securely integrate it into our systems and study the operations, standards and parameters of it,” said a large cap healthcare provider. “This gives us an exact picture of the drawbacks in the data security, which in turn helps us prioritize future requirements.”

One respondent, the director of M&A at a major technology company, said they customize their approach to data integration for each individual case. “Our preferred method of data integration highly depends on the nature of the deal,” he said. “In most cases, we prefer integrating data from the acquired company within our own data warehouse. This gives us the advantage of securing the acquired data in our own security environment and helps us to reduce redundancies and save on data storage costs.”

Where to start? It all starts in the diligence phase.  Cybersecurity diligence is no longer optional.  The potential risks and associated costs of a breach are too high.  An undiscovered breach may have already occurred at the target company.  Data security needs to be a major component of your due diligence review process.  The need goes beyond a sophisticated IT diligence.

And, it continues post close.  Appropriately established security frameworks and dedicated security systems must be in place.  Remember that good governance trumps security tools.  Perhaps the most important aspect of effective governance is ongoing review and renewal, since best practices evolve quickly as technology changes and hackers seek to exploit open loopholes.