Editor's note: The following is a contribution from Zscaler Director, IT M&A and Divestitures Patrick Cresap
Picture this: you've just finalized your M&A deal, only to discover a cybersecurity incident emerging—whether it's a breach, data leak, or system compromise. Suddenly, the clock is ticking, and you're faced with a tight deadline to report this material event to the SEC and your stakeholders.
Recent years have witnessed a surge in cybersecurity breaches impacting public companies, leading to revenue loss, prolonged disruptions, hefty fines, legal battles, and diminished investor trust. Cybersecurity incidents have more than tripled between 2013 and 2022, with over 2.6 billion personal records breached in 2021 and 2022 alone. The first few months of 2024 have already seen unprecedented breaches, including the January "mother of all breaches" leaking 26 billion records worldwide, a data compromise affecting 750 million users, phishing attacks targeting thousands of senior executives' accounts, and the theft of terabytes of sensitive medical records with remediation costs exceeding billions of dollars.
These cyber threats hold significant importance for M&A transactions today. As corporations and entities amass vast amounts of personal data, cybercriminals exploit turbulence surrounding these deals to execute their schemes. In one recent deal, a company experienced a surge of 200-300% in attempted scams targeting both parent and target employees on work and private devices. These scams included hackers impersonating executives to deceive staff into divulging sensitive corporate data or making unauthorized payments.
Moreover, recent events have highlighted the critical intersection of cybersecurity and M&A transactions. Following multiple massive cyberattacks this year, lawmakers have voiced concerns regarding the dominant position held by a few giant corporations and the implications for industry-wide cyber risk. This underscores the notion that market concentration within an industry can exacerbate the consequences of such attacks, emphasizing the necessity for robust cybersecurity measures in M&A deals. As a response, the Federal Trade Commission (FTC) now evaluates proposed corporate mergers based on their potential impact on cybersecurity, acknowledging the pivotal role these considerations play in shaping M&A transactions.
New SEC cybersecurity rules
The SEC has entered the cybersecurity arena with full force. After issuing preliminary guidance in 2018, the SEC passed comprehensive regulations in July 2023. The new rules, enacted on December 15, 2023, introduce two critical requirements for public companies, significantly impacting future M&A activities:
- Timely incident exposure reporting: Companies must promptly report material cybersecurity incidents within four business days via Form 8-K, ensuring swift communication to shareholders and the public market.
- Cyber risk management disclosures: Companies must disclose analyses and decisions regarding cybersecurity risk management, strategy, and governance practices through Form 10-K, including details from their cybersecurity defense playbook.
M&A considerations: Cybersecurity in light of new SEC regulations
Cybersecurity’s critical role in M&A transactions cannot be overstated, especially considering these new SEC regulations and associated penalties. Every stage of an M&A transaction, from strategy formulation to integration planning, is susceptible to heightened risks of cyberattacks. Failure to address cybersecurity concerns can leave both companies vulnerable to brand damage, incorrect valuation, legal issues, compliance challenges, and cyberattacks.
Parties should not move forward without considering:
- Due diligence and risk assessment: Acquirers must conduct comprehensive due diligence on the target company's cybersecurity practices by evaluating vulnerabilities, historical incidents, and the effectiveness of risk management protocols. This includes investigating the target's threat profile, available third-party information, and regulatory requirements.
- Materiality and disclosure: Acquirers must assess the materiality of recent cybersecurity incidents and transparently disclose them during the M&A process to avoid legal and reputational repercussions. Proper disclosure is essential for maintaining investor trust and ensuring compliance with SEC reporting requirements, especially considering recent changes mandating detailed risk management disclosures in Form 10-K filings.
- Integration planning: Cybersecurity integration should be a central focus of M&A planning. It is essential to harmonize policies, procedures, and technologies to ensure seamless integration and mitigate vulnerabilities. This involves aligning security technology, governance, and cultural practices contributing to a unified and resilient security posture across the combined entity.
- Contractual protections: M&A agreements should include robust cybersecurity provisions, including clauses related to data breach response, indemnification, and compliance with SEC reporting requirements. These provisions safeguard against potential cyber risks and ensure accountability in the event of a security incident post-acquisition.
- Valuation and deal pricing: Cybersecurity risks can significantly impact deal valuation, with acquirers considering the target company's cybersecurity maturity and incident history in determining the purchase price. A thorough assessment of cyber risks allows for informed decision making and helps mitigate potential financial implications of cyber incidents post-acquisition.
- Post-acquisition monitoring: Acquirers must continue monitoring the target's cybersecurity practices following a deal’s closure to ensure prompt disclosure of material incidents as required by SEC rules. Ongoing monitoring and risk assessment are essential for maintaining cyber resilience and regulatory compliance in the evolving threat landscape.
- Cyber insurance: Organizations should align their policies and practices with SEC recommendations and consider cyber insurance options that provide comprehensive coverage for cyber event-related losses and regulatory liabilities. Cyber insurance serves as a financial safety net and helps mitigate the financial impact of cyber incidents on the acquiring company.
- Boards: Effective oversight of a cybersecurity program requires clear and open communication regarding cybersecurity risks between the boards of acquiring and target companies, encompassing technical, legal, and regulatory aspects. Board-level engagement and accountability are essential for driving cybersecurity initiatives and ensuring alignment with business objectives and regulatory requirements.
Zero trust in the new cybersecurity era
The SEC's latest cybersecurity regulations endorse a zero trust approach, emphasizing "never trust, always verify" when authenticating and authorizing users and devices seeking access to systems and data. In the context of M&A transactions, a zero trust approach carries several implications:
- Valuation considerations: Acquirers should evaluate the target's cybersecurity maturity through the lens of zero trust principles, with deficiencies potentially necessitating valuation adjustments. Zero trust architecture offers a holistic view of cyber risks, enabling acquirers to assess the true value of the target company's security posture and make informed decisions regarding deal valuation.
- Due diligence: Implementing zero trust strengthens due diligence through enhanced visibility into cyber issues and by promoting transparent risk disclosure. By adopting a zero trust mindset, acquirers gain deeper insights into the target company's security practices, vulnerabilities, and potential risks.
- Risk mitigation: Zero trust architecture reduces reliance on legacy technologies, aligns with SEC requirements, and facilitates compliance with data protection regulations. By implementing zero trust principles, organizations can mitigate cyber risks associated with M&A transactions, ensuring secure integration and regulatory compliance post-acquisition.
Embed zero trust in your M&A integration approach
To effectively mitigate these risks, empower your organization to adopt a zero trust approach and navigate the complexities of M&A cybersecurity during integration. Proactively engage leaders across legal, internal audit, cybersecurity, and IT teams on the merits of zero trust and how it applies to the M&A lifecycle.
A zero trust M&A integration approach assumes the acquisition is compromised and, when adopted according to best practices, reduces the attack surface, minimizes the threat of lateral movement, lessens the risk of data loss, and improves visibility. All of which is part of a corporate risk assessment strategy and integration playbook that should guide cyber due diligence efforts and aid in prioritizing remediation actions.
Given the escalating volume and complexity of cyber threats, forward-thinking boards are increasingly emphasizing cybersecurity oversight to safeguard financial performance, reputation, and day-to-day operations. It's essential that cybersecurity no longer be treated solely an IT concern, but as a critical business consideration. Companies involved in M&A transactions must swiftly adapt their strategies and processes to align with new SEC regulations to effectively mitigate risks.
What to read next
Mergers and acquisitions: How zero trust helps achieve a competitive advantage
Talking mergers, acquisitions, and divestitures with TCS [podcast]
Zero Trust & Cyber Insurance: A crash course for the cyber insurance industry [eBook]