Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.
In many cases, it is more than an exhortation – it’s a mandate. Last year’s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.
But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).
In a survey of, “214 global deal-makers from corporates, financial institutions, investors and legal services providers,” the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents – 78 percent – “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”
That could be costly – very costly.
If a company’s value is largely based on its intellectual property or other proprietary information like customer data, and that information has been compromised through a breach, it could be in the hands of competitors, and therefore lose much of its value.
Also, if either company involved in a merger or acquisition has been breached, it is much easier for attackers to penetrate both companies, which could have catastrophic effects on the value of both.
And based on the activity in the sector, M&As offer a large attack surface for enterprising cyber criminals. A recent blog post by the security company FireEye noted that, “in the U.S., just during April and May there were almost 2,000 M&A events, while in Asia Pacific, M&A activity reached a record $367.7 billion during the first six months of 2015.”
All of which raises the obvious question: Why isn’t M&A due diligence focusing on the cyber security posture or history of companies just as much as their financials or market share, since both could be affected by a breach?
According to those in the field, the problem is being addressed, although substantial weaknesses remain, and it will likely take time for the smaller players to catch up.
“I think it is now on people’s radar, whereas before it may have been an afterthought,” said Scott Koller, counsel at the law firm BakerHostetler. “The problem is that it is not taken as seriously at it should be, or there is an under-appreciation of the risk.”
He said it is easy to adopt the so-called “check-box” mentality when evaluating the security posture of a company, as in: “Do you have a firewall? (check). Do you have anti-virus (check)?
Sign up for CIO Asia eNewsletters.