Tab icon

Cyber Security during M&A

Calendar icon 20th August 2019

In May 2017, a large-scale cyber-attack named ‘WannaCry’ hit the globe world-wide, threatening the entire body of the National Health Service, before being described as the “biggest ransomware offensive in history”[1]. Fast-forward to just one month later, and a mutation of the virus returned, forcing Ukrainian governmental websites offline, before spreading internationally, targeting companies “as widely as Danish shipping company Maersk and British advertising company WPP, the biggest in the world”[2].


This recent rise in attacks is disconcerting to all companies concerned with the strength of their cyber-security, and not least to those wishing to merge with, or acquire another firm. Indeed, acquisition targets are now being screened by cyber-security experts to limit the likelihood of them becoming a liability at a later date[3]; if found by a hacker, the smallest chink in their armour could threaten the internal operations and activity within the entire firm, and as the rate of successful virus attacks increases, so does the potential downfall for a merger or an acquisition. Michael Bittan, the Head of Cyber Risk Services in France for Deloitte, predicts cyber-security “will become a pillar of M&A decisions”[4], explaining how “[it] is not about getting technical, it’s about business impact, and ultimately valuations”[5].


Identifying, honing and aligning the cyber-security systems of firms wishing to merge is a crucial necessity in today’s technologically-advancing world, where the rate of cyber-attacks, and the proficiency of cyber-criminals, is rapidly accelerating; in essence, the longer it takes to align these systems and to ensure their strength, the more vulnerable an organisation leaves itself. In fact, according to Forbes, “one study found that the number of reported ransomware attacks was a staggering 638 million in 2016”[6]. Furthermore, with regards to recent years, Pricewaterhouse Coopers have recently discovered that “65% of UK businesses were ‘significantly concerned’ over cyber risks to energy technology”[7]. Shedding insight as to why this is becoming a current and crucial concern, the former chief of National Grid explained the recent shift away from highly-secure, large power stations, to “decentralised power, such as lots of small, flexible gas power plants and solar panels on homes”[8]; additionally, the energy technology market is seeing an influx of web-connected devices being implemented and utilised by millions, and thus the risk of threat is rising.


The energy technology market is by all means not alone in their unease. Companies and investment funds seeking to acquire new ventures are now “adding an extra layer of scrutiny to acquisitions by screening targets for cyber-security risks”, to avoid “buying an empty shell”[9]. Both establishing and aligning a strong, cyber-security platform is of paramount importance for new business, and growth, to thrive. Following a Yahoo! Inc. hack in 2014 that affected an estimated 500 million accounts, the company’s damaged reputation served as a red-flag in support of cyber-security expertise during mergers and acquisitions. The breach ultimately caused Verizon Communications Inc. “to cut its offer to buy the company by $350 million”[10].


In posing a severe risk to an organisation’s value, it is quickly becoming ever more imperative for companies to hire cyber-security professionals to establish, hone and align a system that is virtually impenetrable to future cyber-attacks. Indeed, a survey by stock market operator NYSE found that around “85% of executives interviewed in [a] study said discovering major vulnerabilities at the audit stage of an acquisition would likely affect their final decision to go ahead with the takeover or back out”[11].


Executive-level search firms provide one way, if not the most important way, of combating the threat of a cyber-security meltdown; by sourcing and hiring executive-level professionals in niche markets such as cyber-security and cyber-strategy, they are able to provide their clients with both the knowledge and security they need in order to prevent their operations from being threatened, and to ultimately retain their present and future value.