Deloitte’s sixth annual mergers and acquisitions (M&A) trends report found that 79 percent of organizations predict the number of deals they expect to close in the next 12 months to increase, up from 70 percent last year. While M&A are great ways for companies to grow their market share, increase supply-chain pricing power and increase efficiency; companies can also inadvertently open themselves up to great risk if proper cybersecurity due diligence is not executed.
For example, when Marriott acquired Starwood, Marriott’s lack of due diligence during the M&A process allowed an attacker that had already breached Starwood’s infrastructure to continue to exfiltrate customer data. This led to Marriott being on the hook for the breach even though the risk was already there before the acquisition happened, and resulted in a hefty $123 million fine under GDPR.
Anurag Kahol, CTO at Bitglass discusses with Digital Journal these challenges as well as how companies can properly evaluate the infrastructure affiliated with prior and potential acquisitions, and how they can ensure that the security controls in place are as effective as possible.
Digital Journal: Will there be more mergers and acquisitions activity in 2020 than usual?
Anurag Kahol: According to Deloitte’s 2019 mergers and acquisitions (M&A) trends report, 76 percent of M&A executives working for U.S. corporations predict a rise in the number of deals their company will close over the next year, increasing from just 69 percent in 2018. 87 percent of M&A leaders at U.S.-based private equity firms also expect the number of deals closed to increase next year.
Additionally, the value of the average deal is expected to rise. In fact, 51 percent of respondents expect the total annual dollar value of deals to average between $500 million and $10 billion – compared to just 38 percent last year.
DJ: What advantages does M&A present for businesses?
Kahol: M&As allow corporations to expand their customer bases throughout different geographic markets, diversify their products and services, and even acquire technology. Shire PLC’s acquisition of Baxalta Inc. merged two of the leading biopharmaceutical companies that are focused on treating rare diseases. The deal resulted in Shire becoming the global leader in rare disease research and treatment with a market capitalization of $45.66 billion in 2016 and expectations to expand its global reach and revenues to $20 billion by 2020.
However, some deals do not generate value as expected. This can be because of outside factors such as the economy, market forces, regulations. Some failures could also be because of gaps in integration execution, or the failure of some sales to materialize. For example, Qualcomm terminated its agreement to acquire rival firm NXP Semiconductors for $44 billion in 2018 after the deadline to complete the deal passed without approval from China’s Ministry of Commerce. The deal would have resulted in combined annual revenues of $30 billion with expectations to generate $500 million in annual run-rate cost synergies within two years after the transaction closed.
DJ: What security challenges does M&A also bring?
Kahol:The M&A process is even more complex nowadays due to companies using different cloud providers and services. It is imperative that companies properly evaluate the IT infrastructure affiliated with prior and potential acquisitions in order to safeguard customer, company, and partner data. In the same way, they can ensure the integrity of business-critical systems.
Another factor in play is that companies must be able to merge security infrastructure as well. An example of this is when larger companies leveraging legacy on-prem solutions acquire younger startups that could have been born in the cloud. This can add to the complexity of the M&A process because the two organizations will have different security strategies in place.
DJ: Are there any notable instances of M&A gone wrong in recent times?
Kahol:One of the most notable M&A deals exemplifying cybersecurity due diligence failure is Marriott’s acquisition of Starwood. When Marriott International acquired Starwood Hotels and Resorts Worldwide, Inc. in 2016, it became the largest hotel chain in the world. Besides obtaining a larger presence outside of the U.S., Marriott also created a new loyalty program that would give existing Marriott and Starwood customers access to over 5,500 hotels throughout 100 different countries – an offering intended to demonstrate commitment to customer satisfaction.
Unfortunately, Marriott also demonstrated a lack of due diligence during the M&A process that allowed an attacker that breached Starwood’s infrastructure to remain undetected and continue to exfiltrate Starwood customers’ data. This led to Marriott being on the hook for the breach even though the risk was already there before the acquisition happened, and resulted in a hefty $123 million fine under GDPR.
DJ: How can companies avoid security issues from occurring during the M&A process?
Kahol:With the number of deals that are expected to occur in 2020, it is vital that the participating organizations make security a key component of the M&A process. If companies lack solutions that provide adequate visibility into their own systems as well as those of the companies they are acquiring, we will see similar breaches continue to take place.
Companies can avoid security issues throughout the M&A process by having a comprehensive flexible security solution in place. It is essential that companies obtain visibility into the acquired organization’s systems and identify any anomalous behavior. As an example, if an unauthorized user with administrative access is making requests for data on a database with customer information, the acquiring firm must address that security concern beforehand. Additionally, encryption of data across all applications, data lakes, and beyond can also help protect sensitive data.
Ensuring proactive security and remediating threats before malicious third-parties can exploit them is the key to securing data and avoiding penalties under data-privacy regulations.