There will be more M&A deals in the second half of the year in Asia Pacific.
According to Intralinks, the number of deals in the region is estimated to grow 4% year-on-year in the last two quarters of 2019, led by sectors such as real estate, energy and power, and finance.
While companies made M&A deals to pursue growth, they must be increasingly aware of the impact of cybersecurity issues during their deals, said Nasdaq-listed Forescout Technologies.
Earlier this year, the company surveyed more than 2,700 IT and business decision makers in Singapore, India, the US, France, the UK, Germany, and Australia to examine the concern of cyber risks and the importance of cyber assessment during M&As and the subsequent integration process.
The after-deal regret
After closing the acquisition, 65% of respondents have experienced regrets in making the deal due to cybersecurity concerns, survey results indicate.
“Traditionally, when acquiring a company, M&A due diligence has been focused on aspects such as finance, legal, business, operations, HR and IT, among others,” Yusoff said. “However, in light of recent breaches, it is clear that organisations considering an acquisition could benefit from greater, dedicated cyber evaluation.”
Due to lapses in assessing the target’s cybersecurity posture during the M&A due diligence process, many organisations are not fully aware of the risks they are acquiring as part of the deal, said Wahab Yusoff, Vice President, Asia at Forescout.
“Consequently, they may experience financial losses as a result of cyberattacks or face a breach aimed at the acquisition target, as was the case with the Marriott-Starwood breach that was first reported in late 2018,” he pointed out.
While Marriott announced the completion of the M&A deal in September 2016, two years later, it disclosed in late 2018 a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.
Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sep 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.
M&A security nightmare in Singapore
In Singapore, though 78% of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy, as many as 50% of organisations have encountered a critical cybersecurity issue or incident during M&A that put a deal in jeopardy, survey results indicate.
The problem is companies not spending enough time in their reviews.
While many M&A deals face a race to get across the finish line, only 34% of respondents in Singapore strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition, according to survey results.
When asked what makes organizations most at risk during the IT process, Singaporean respondents identified human error and configuration weakness (63%) and connected devices (59%), Forescout said.
"Devices often get overlooked and missed during integration as 57% of IT decision makers say they find unaccounted devices, including IoT and OT devices, after completing the integration of a new acquisition.
Among Singaporean IT decision makers, only 31% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition.
CFOs: How you can avoid the M&A security nightmare
While IT has its own responsibility, this is not purely the IT team's problem.
“CFOs must ensure cybersecurity is a critical part of the M&A and integration process. A little extra time will prove to be invaluable if it protects you from surprises down the road,” Yusoff advised.
The basics include an inventory of all the assets on the network, he said.
“One rogue device can make it easy for an attacker to get in and wreak havoc with financial, regulatory, and brand risk,” Yusoff noted. “It’s only through full visibility of all connected devices on the network that organizations can effectively manage any vulnerable assets and associated security risks.”
And to avoid what happened to Marriott, Yusoff said a thorough assessment of the target’s security posture to gain visibility into what’s on the network is essential.
“This will enable timely action and response that can mitigate cybersecurity and operational risks,” he said. “Furthermore, cyber assessments should made be a major part of the acquisition evaluation process, not only at the point of integration, but throughout the entire acquisition.”