Global merger and acquisitions (M&A) activity reached record-breaking deal values in 2015 at over $5 trillion. Whilst these vast sums excite shareholders, they also attract cyber criminals who sense an opportunity via inherent weaknesses in the M&A process.
In much the same way that insider trading can (if undetected) yield huge returns for the perpetrator, cyber criminals can similarly capitalise by gaining access to sensitive market information.
And firms going through M&A are arguably at their weakest from a security perspective with disruption to their ‘business as usual’ processes.
Cyber criminals thrive on this disruption and there are anecdotal cases where the M&A process is thought to have been targeted.
In December 2015, the FBI warned that a criminal group ‘FIN4’ was seeking to facilitate securities fraud. A few months before that FIN4 was implicated in the attempted infiltration of 100 publicly traded companies or advisory firms that provide M&A services such as investor relations, legal counsel and investment banking.
Also in 2015, the Marriott Corporation announced on that it was to acquire the Starwood Hotels Group. Just four days later, Starwood released a statement that it had been the victim of malware breach. Third-party assessment of this acquisition questioned whether the Marriott Corporation had sufficiently probed the M&A process as a potential threat risk.
Why are firms at particular risk during the M&A process?
Put simply, the M&A process is a perfect storm of high potential reward for criminals combined with more opportunities for them to exploit it.
Both the potential buyer and the seller are potential targets – in effect doubling the potential weak links in the chain.
Companies that (rightly) normally keep their most confidential information to a handful of trusted confidents suddenly find it needs to be shared with a host of lawyers, consultants and other third parties as part of due diligence – increasing the risk of it ending up in the wrong hands.
The insider risk is heightened too with employees that could be subject to undesirable change potentially liable to become disenfranchised and open to criminal overtures.
So what can firms do about this?
It’s critical that the parties involved look at themselves through the eyes of an attacker and seek to understand the threats that tend to occur at the various stages of the M&A process.
Security must be a forethought, not an afterthought. Throughout the discussions, and before plugging in the network cable or allowing the two networks to connect, organisations must be sure to understand what’s on the other side, and what risks they could present.