alphaspirit - Fotolia

Guest Post

4 reasons to involve CISOs in mergers and acquisitions planning

As mergers and acquisitions go virtual due to COVID-19, the C-suite should include CISOs to help identify security risks, expedite cyber processes, review the new threat landscape and more.

Like many things, mergers and acquisitions (M&A) activity shifted from partially to fully virtual out of necessity during the COVID-19 pandemic. In fact, 55% of 1,000 U.S. dealmakers surveyed by Deloitte say virtual deal-making could be their preferred platform post-pandemic. Unfortunately, nearly as many (51%) say cybersecurity threats are their top concern around executing deals virtually.

Whether a deal is done remotely or not, cyber leaders such as CISOs or other key leaders from the security team need to have a seat at the table in the initial phase during due diligence through day one integration of the M&A cycle. We've seen CISO involvement in deals increase in recent years, but it's not the formalized practice at every organization that it needs to be.

CISOs and their teams know the importance of executing various cyber capabilities in order to assess and identify risks while also quantifying potential remediation costs associated with the deal. Insider threat and threat intel, cyber risk assessments, vulnerability or penetration testing are just a few of the tools cyber teams can use to do things like identifying otherwise unidentified data breaches that can negatively impact the brand and deal itself. There is also the other side of the coin where the acquirer may leverage the target's people, processes and technologies in order to create synergies during integration and day one.

Here are four reasons CISOs should be involved in every deal.

1. Cyber due diligence can identify risks and synergies

Performing cyber due diligence can identify areas of concern and overall poor cyber hygiene, which can be indicative of systemic issues that require costly remediations. Conversely, thorough due diligence that includes cyber early on to help identify cyber domain areas where the target (the organization or asset to be purchased by the acquirer) may have a stronger cyber posture and therefore synergies can be achieved when it comes to day one, post-merger integration.

Cyber due diligence beyond a risk assessment can and should stem across other capabilities. Steps can be taken to identify things like chatter on the dark web about the target, potential insider threats, whether user credentials are up for sale, digital identity challenges and other suspicious activity, all of which can help to focus broader due diligence efforts. Further, findings from early cyber due diligence can help define the top 10 questions to be asked by the acquirer's security organization of the target organization's leadership.

2. M&A playbooks for cyber can help expedite and formalize processes

CISOs at organizations involved in many deals per year should have a cyber M&A playbook that they follow and hone over time to help reduce ad hoc and deal-specific project planning time and increase the speed and reliability of the company's overall cyber due diligence processes.

Cyber M&A playbooks typically offer high-level timelines and milestones that are flexible enough to recognize variable deal complexity. They also list a core team of cyber subject matter experts and the cyber capabilities that will be executed for each deal. This approach helps with institutional knowledge transfer and quick resource identification when deal activity needs to occur quickly and efficiently. As an example, the cyber M&A playbook for integration would contain the organization's measures of readiness -- ready checkpoints (RCP) in order to avoid surprises and maintain business continuity. Like all playbooks, the RCP needs to be pressure-tested and shown to be effective in order to effectively enable day one readiness.

3. Deal valuations and structures can be altered by cyber team findings

The valuation of the deal should accurately reflect the cyber health and potential risks of the target's environment that the acquirer is about to inherit, especially when it comes to lack of compliance around data protection and the potential for associated fines. Intelligence from cyber teams can help CISOs address the materiality of actual cyber risk detected, as others involved in the deal could underplay or overstate. When true cyber risk is found, CISOs can account for the sometimes very significant cybersecurity remediation costs that other executives likely wouldn't know how to identify and quantify -- and that can offer negotiating power in areas like deal valuation.

4. Threat landscapes are more expansive and complex than ever before

COVID-19 disruption has slowed a lot of things for most organizations, but deal volume and cyber threats were not among them. Ignoring the environment and neglecting to frequently update cyber analyses of potential deal participants is shortsighted, as later discovered cyber risks and liabilities could demand costly remediation for years to come and potential brand and reputational impacts.

With cyber team workloads surpassing the untenable and teams stretched thin, many organizations are turning to more "cyber intelligent" approaches embedded with tech enablers like automation, artificial intelligence, machine learning and behavioral analytics to help bolster cyber due diligence for M&A. Just as these tools help cyber teams move more quickly, cover more ground and focus on higher-level work in other areas, they offer similar benefits for M&A activity.

Security must factor into M&A

Cyber has always been crucial to M&A, but too often played a secondary role to financial, operational and legal considerations. As 60% of dealmakers surveyed stated they are actively pursuing new transactions, it's crucial for CISOs to have a seat at the M&A table -- not only due to their ability to assess and manage risk but also as a support to deal valuation and post-merger integration strategy. CISOs and the rest of the cyber team can help reassure buyers that a target company and its data assets -- from intellectual property to personally identifiable information -- are well-protected, well-managed and truly worth the asking price.

About the authors
Jaime Fox is a Deloitte Risk & Financial Advisory principal in cyber and strategic risk, Deloitte & Touche LLP.

Deborah Golden is the Deloitte Risk & Financial Advisory US cyber & strategic risk leader, Deloitte & Touche LLP.

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG