ANDREW BAHLMANN: Cybersecurity risks take centre stage in M&A transactions
Management needs to keep a close eye on threats before, during and after the transaction
09 July 2024 - 05:00
byAndrew Bahlmann
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Cybersecurity has become a critical consideration in mergers & acquisitions. Picture: 123RF
With data a cornerstone of business operations, cybersecurity has become a critical consideration in mergers & acquisitions (M&A). Data breaches, identity theft and ransomware have evolved into significant business threats, affecting not just the immediate financial standing but the very essence of a business’s reputation and operational stability.
The threat landscape is escalating over time with each new data breach — especially as it now includes state-sponsored hacking by bad-actor countries such as Russia and China. Consequently, for businesses contemplating M&A, understanding and mitigating cybersecurity risks is paramount.
The digital age has ushered in an era in which data breaches are a persistent menace, with personal information, financial records and intellectual property becoming commodities traded in the dark web. The ripple effects extend far beyond financial losses, affecting business operations, stakeholder trust and personal security such as kidnappings.
Consequently, before finalising any M&A deal a thorough cybersecurity due diligence is essential. This involves assessing cyber hygiene by evaluating the cybersecurity policies, practices and history of breaches in the target company, as well as understanding past incidents and responses to gain insight into the company’s resilience and preparedness.
Along with a financial audit, potential asset buyers need to conduct a comprehensive cybersecurity audit to identify potential vulnerabilities in the target’s IT infrastructure. This includes checking for outdated systems, weak password policies and unsecured data storage, inadequate patching and even the cybersecurity posture of third-party vendors and partners of the target company.
They should similarly ensure the target company complies with relevant data protection regulations, such as the EU’s General Data Protection Regulation or SA’s Protection of Personal Information Act (Popia). Noncompliance can result in hefty fines and legal challenges.
During M&A transactions the stakes are higher than usual as the integration of two entities creates additional vulnerabilities. Just as important is what happens after the transaction, when the integration of cybersecurity practices becomes critical with the harmonisation of cybersecurity policies of both entities to ensure a cohesive approach to data protection. This includes standardising password protocols, access controls and encryption standards.
The threat is that the repercussions of a cyber breach extend beyond mere financial loss. In the hands of adept manipulators a stolen employee identity becomes a weapon, a key to unlock doors never intended to open. Suddenly there is the reality of fraudulent accounts, unauthorised purchases and a shattered sense of security as cybercriminals, armed with employees’ personal data, can leverage their newfound knowledge to orchestrate even kidnappings for ransom.
Serious data breaches are probably a more common occurrence than the public is aware of, as companies are reluctant to disclose more details of incidents than is legally required. For companies that have been hacked, the reputational damage can be devastating.
Organisations can safeguard their data, for instance by leveraging available tools for monitoring client credit profiles, which can alert to unauthorised inquiries or adverse events on their accounts. By staying informed and vigilant, management can mitigate the risk of identity theft, deep fakes and financial fraud stemming from data breaches.
Such tools exist and will become more commonplace in the future. While there is no quick fix to the problem, by leveraging consumer monitoring products and staying informed about potential threats, businesses can take steps to protect themselves from the fallout of data breaches. While there are limitations to monitoring every person’s every transaction it provides targeted support to mitigate the effect of data breaches on affected individuals.
However, there is a delicate balance between cybersecurity and privacy given the broader landscape of data protection, referencing Popia and its principles. These principles govern the handling of sensitive data, even if sophisticated cybercriminals are evolving ever more advanced threats.
Though companies are reluctant to disclose data breaches due to reputational risks, transparency and accountability must trump their considerations as it is a legal requirement under Popia to notify affected individuals.
There is no single solution to safeguarding against cyber threats. Rather, it requires a multifaceted approach encompassing user training, systems design and continuous monitoring. Management plays a critical role in fostering a culture of vigilance and accountability, with the emphasis that cybersecurity is not solely the responsibility of the IT department.
One of the key strategies is staying abreast of evolving threats and vulnerabilities. Organisations need to regularly update their systems and software, and take precautionary measures to address emerging cybersecurity challenges. Fear is a driving force for behaviour change, which should be sufficient to encourage a proactive stance in confronting cybersecurity risks.
Data breaches commonly happen when proper data protection protocols are not in place and lax security allows unauthorised access to databases. Critical tools must include robust password protection, firewall security and data encryption. Additionally, companies should address the risk of email phishing attacks and malware infections by implementing comprehensive cybersecurity measures.
• Bahlmann is CEO: corporate & advisory at Deal Leaders International.
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
ANDREW BAHLMANN: Cybersecurity risks take centre stage in M&A transactions
Management needs to keep a close eye on threats before, during and after the transaction
With data a cornerstone of business operations, cybersecurity has become a critical consideration in mergers & acquisitions (M&A). Data breaches, identity theft and ransomware have evolved into significant business threats, affecting not just the immediate financial standing but the very essence of a business’s reputation and operational stability.
The threat landscape is escalating over time with each new data breach — especially as it now includes state-sponsored hacking by bad-actor countries such as Russia and China. Consequently, for businesses contemplating M&A, understanding and mitigating cybersecurity risks is paramount.
The digital age has ushered in an era in which data breaches are a persistent menace, with personal information, financial records and intellectual property becoming commodities traded in the dark web. The ripple effects extend far beyond financial losses, affecting business operations, stakeholder trust and personal security such as kidnappings.
Consequently, before finalising any M&A deal a thorough cybersecurity due diligence is essential. This involves assessing cyber hygiene by evaluating the cybersecurity policies, practices and history of breaches in the target company, as well as understanding past incidents and responses to gain insight into the company’s resilience and preparedness.
Along with a financial audit, potential asset buyers need to conduct a comprehensive cybersecurity audit to identify potential vulnerabilities in the target’s IT infrastructure. This includes checking for outdated systems, weak password policies and unsecured data storage, inadequate patching and even the cybersecurity posture of third-party vendors and partners of the target company.
They should similarly ensure the target company complies with relevant data protection regulations, such as the EU’s General Data Protection Regulation or SA’s Protection of Personal Information Act (Popia). Noncompliance can result in hefty fines and legal challenges.
During M&A transactions the stakes are higher than usual as the integration of two entities creates additional vulnerabilities. Just as important is what happens after the transaction, when the integration of cybersecurity practices becomes critical with the harmonisation of cybersecurity policies of both entities to ensure a cohesive approach to data protection. This includes standardising password protocols, access controls and encryption standards.
The threat is that the repercussions of a cyber breach extend beyond mere financial loss. In the hands of adept manipulators a stolen employee identity becomes a weapon, a key to unlock doors never intended to open. Suddenly there is the reality of fraudulent accounts, unauthorised purchases and a shattered sense of security as cybercriminals, armed with employees’ personal data, can leverage their newfound knowledge to orchestrate even kidnappings for ransom.
Serious data breaches are probably a more common occurrence than the public is aware of, as companies are reluctant to disclose more details of incidents than is legally required. For companies that have been hacked, the reputational damage can be devastating.
Organisations can safeguard their data, for instance by leveraging available tools for monitoring client credit profiles, which can alert to unauthorised inquiries or adverse events on their accounts. By staying informed and vigilant, management can mitigate the risk of identity theft, deep fakes and financial fraud stemming from data breaches.
Such tools exist and will become more commonplace in the future. While there is no quick fix to the problem, by leveraging consumer monitoring products and staying informed about potential threats, businesses can take steps to protect themselves from the fallout of data breaches. While there are limitations to monitoring every person’s every transaction it provides targeted support to mitigate the effect of data breaches on affected individuals.
However, there is a delicate balance between cybersecurity and privacy given the broader landscape of data protection, referencing Popia and its principles. These principles govern the handling of sensitive data, even if sophisticated cybercriminals are evolving ever more advanced threats.
Though companies are reluctant to disclose data breaches due to reputational risks, transparency and accountability must trump their considerations as it is a legal requirement under Popia to notify affected individuals.
There is no single solution to safeguarding against cyber threats. Rather, it requires a multifaceted approach encompassing user training, systems design and continuous monitoring. Management plays a critical role in fostering a culture of vigilance and accountability, with the emphasis that cybersecurity is not solely the responsibility of the IT department.
One of the key strategies is staying abreast of evolving threats and vulnerabilities. Organisations need to regularly update their systems and software, and take precautionary measures to address emerging cybersecurity challenges. Fear is a driving force for behaviour change, which should be sufficient to encourage a proactive stance in confronting cybersecurity risks.
Data breaches commonly happen when proper data protection protocols are not in place and lax security allows unauthorised access to databases. Critical tools must include robust password protection, firewall security and data encryption. Additionally, companies should address the risk of email phishing attacks and malware infections by implementing comprehensive cybersecurity measures.
• Bahlmann is CEO: corporate & advisory at Deal Leaders International.
ANDREW BAHLMANN: Opportunity amid currency fluctuations as manufacturing giants target SA
ANDREW BAHLMANN: Spate of elections set to hold back M&A deals
ANDREW BAHLMANN: AI can enhance M&A, but human intuition can be invaluable
ANDREW BAHLMANN: SA’s competition legislation is crippling foreign investment
ANDREW BAHLMANN: Mergers and acquisitions help mitigate supply chain tribulations
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Related Articles
Cybersecurity breach causes lab test delays, says Gauteng health department
Dis-Chem enhances IT security after data breach debacle
ANDY SEARLE: Digital skills vital to boost South Africa’s tourism sector
KATE THOMPSON DAVY: Hacker hero or mercenary, Assange represents a turning point
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.