Why M&A activity leaves companies vulnerable to cyber criminals
Global merger and acquisitions (M&A) activity reached record-breaking deal values in 2015 at over $5 trillion. Whilst these vast sums excite shareholders, they also attract cyber criminals who sense an opportunity via inherent weaknesses in the M&A process.
In much the same way that insider trading can (if undetected) yield huge returns for the perpetrator, cyber criminals can similarly capitalise by gaining access to sensitive market information.
And firms going through M&A are arguably at their weakest from a security perspective with disruption to their ‘business as usual’ processes.
Read more: UK execs are worried about the economy – but want to do lots of M&A deals
Cyber criminals thrive on this disruption and there are anecdotal cases where the M&A process is thought to have been targeted.
In December 2015, the FBI warned that a criminal group ‘FIN4’ was seeking to facilitate securities fraud. A few months before that FIN4 was implicated in the attempted infiltration of 100 publicly traded companies or advisory firms that provide M&A services such as investor relations, legal counsel and investment banking.
Also in 2015, the Marriott Corporation announced on that it was to acquire the Starwood Hotels Group. Just four days later, Starwood released a statement that it had been the victim of malware breach. Third-party assessment of this acquisition questioned whether the Marriott Corporation had sufficiently probed the M&A process as a potential threat risk.
Read more: Why Brexit vote should not be used as scapegoat for falling M&A activity
Why are firms at particular risk during the M&A process?
Put simply, the M&A process is a perfect storm of high potential reward for criminals combined with more opportunities for them to exploit it.
Both the potential buyer and the seller are potential targets – in effect doubling the potential weak links in the chain.
Companies that (rightly) normally keep their most confidential information to a handful of trusted confidents suddenly find it needs to be shared with a host of lawyers, consultants and other third parties as part of due diligence – increasing the risk of it ending up in the wrong hands.
The insider risk is heightened too with employees that could be subject to undesirable change potentially liable to become disenfranchised and open to criminal overtures.
Read more: TalkTalk profits show fallout from last year's cyber attack
So what can firms do about this?
It’s critical that the parties involved look at themselves through the eyes of an attacker and seek to understand the threats that tend to occur at the various stages of the M&A process.
Security must be a forethought, not an afterthought. Throughout the discussions, and before plugging in the network cable or allowing the two networks to connect, organisations must be sure to understand what’s on the other side, and what risks they could present.