Last month, a data breach at a Philadelphia-based health group gave hackers access to the files of 300,000 patients, exposing private data including names, addresses and even social security numbers. The breached health group had recently completed a merger – and while the exact type of system failure that allowed this cyberattack to occur cannot be identified, this incident does shed light on a potential liability that is often overlooked during mergers and acquisitions (M&A). As the growing threat of cyberattacks and the aftermath of successful breaches continues to play out for organizations across the U.S., it is becoming an increasingly important consideration for businesses to examine prior to executing a merger or acquisition.
In 2016, the global M&A market reached volumes of $39 trillion – the third highest year on record, with comparable levels predicted throughout 2017, according to a report by J.P. Morgan. While M&A contracts are frequently executed by companies across many verticals under a variety of circumstances, the goal is typically the same – to increase strength and resources and ultimately improve profitability. To ensure the overall long-term success of the transaction, organizations will now need to consider both the potential cyber concerns associated with the acquired company and also work to identify solutions to reduce risk as part of the M&A due diligence process.
As the number of M&A transactions continues to increase in volume and complexity, organizations acquiring a secondary entity will first need to assess the target entity’s information security programs to ensure proper and sufficient precautions are in place. This is especially important because if the acquired organization has sub-standard safeguards, the acquiring company is at a greater risk of being successfully hacked.
Unfortunately, when one enterprise is in the process of acquiring another, the acquired organization could already have unknowingly been breached, setting the acquiring company up for a significant exposure once the target company is acquired. In 2017, the Ponemon Institute’s Cost of Data Breach Study found that the average cost of a data breach was $7.35 million. Therefore, this is an especially important consideration during an acquisition, as the damages resulting from a breach are inherited by the acquiring organization, which could result in significant expenditures.
In addition to evaluating potentially unidentified cyber exposures, organizations need to consider how their cyber risks will evolve. The acquiring company should first assess both the amount and the type of data being acquired. For instance, if the acquired organization frequently handles credit card information, the acquiring company will need to confirm they are able to properly protect this specific type of data and are compliant with applicable Federal and State regulations. Because regulatory standards are determined by both industry as well as Federal and State protocols, the acquired company could also be held to different standards than the acquiring company.
When acquiring an organization, it is crucial to take steps to improve cybersecurity measures as the likelihood of a breach increases as the total cyber footprint expands. Businesses should first develop and implement a thorough plan based on appropriate Federal and State requirements to assess the risks associated with the acquisition. In addition to performing both vulnerability and penetration testing of the new network, a third-party security firm should be brought on to inspect the network for potential threats and bad actors that may have already breached their systems.
Next, all employees should be regularly trained to recognize common threats like social engineering fraud and phishing schemes. According to an IBM Security report, 60 percent of cyberattacks in 2015 resulted from within the organization. Email-born threats against employees are the easiest way for hackers to breach an organization, therefore representing the greatest risk. It is critically important that staff is trained to identify and report suspicious emails.
Finally, organization executives should work closely with their insurance broker to ensure all cyber threats are properly analyzed and adequate coverage is in place, should a costly breach occur. Appropriate coverage not only provides necessary coverage when a breach occurs, but can also provide front-end resources to lessen exposures and protect against a breach occurring. As cybersecurity continues to become an increasingly bigger business risk, vigilant brokers can help executives stay informed about the latest industry developments and protections, providing them with peace of mind that their business is secure.