Mergers and Acquisitions (M&A) is driving market growth in the current period and is expected to continue to be a significant strategic practice in the near term. Key drivers include growing economic confidence and favorable lending environments. The 2008 financial crisis is now six years behind us, many businesses are now able to build effective and promising books. Baby boomers and business owners on Main Street will likely take the rising optimism and improving economic conditions in 2014 to bring their businesses to market before the next down cycle.
With the changing business cycle we are seeing a dramatically different M&A landscape with regard to the risks involved. The risks we face today are not the same as they were in the last upturn, or even in the last 3-4 years. We now operate in a vastly more complex business environment driven by rapidly evolving technological advances. This is evidenced by the increased availability of cyber insurance. According to Advisen research, the number of new cyber insurance products unveiled in 2013 was almost 20% higher than in the prior year period.
Unfortunately, the cost of cyber insurance is prohibitive with most plans imposing low limits and numerous exclusions. To make matters worse, the availability of this type of insurance is luring executives into a false sense of security. Failure to assess and adequately develop a cyber-risk management strategy is dangerous and potentially expensive. This is compounded in the aftermath of the M&A deal when data and system integration not only becomes problematic, but also has the potential to introduce unknown threats.
Despite the fact that there has been so much well published research data with regard to the challenges, and costs, of cyber integration little is being said about cyber due-diligence in the M&A deal. Assessing the cyber-risk profile and developing strategic plans to mitigate those risks is being overlooked by a majority of the players involved. The rapidly evolving development and reliance on technology, and the relative infancy of cyber insurance products has created a perfect storm. This isn’t a result of willful or negligent conduct, rather the recognized need to investigate the cyber landscape has not kept up with the depth of cyber assimilation into business processes.
For an organization to truly understand the cyber landscape the M&A due diligence must incorporate cyber-investigative efforts. These efforts should not be limited to analyzing the quality and integrity of mission-critical data, or for that matter, vetting the ability to integrate the systems. To fully understand the exposure, and ultimately manage the associated risks, it is necessary to investigate the system and all its attributes. Accepting at face-value, or worse - disregarding, the IT posture of an organization you are about to merge with or acquire, is akin to accepting un-scrutinized market projections, management abilities, or financial information.
Only through an intelligent assessment of actual risks and pragmatic investigation of all known and unknown risk can you determine the true a true business valuation. Start by conducting a realistic assessment of the true risks to the company’s data and IT infrastructure. Then develop a strategic plan to mitigate the exposure and manage the risks. The strategic plan may include hedging some of the risk through a cyber-insurance package, but insurance is not a pacifier for risk management.
As data is compiled to better define the relationship between cyber-risk management and related losses, investigative cyber security assessments by a team of financial forensics will become a standard due diligence process in M&A deals. The simple step of engaging an independent, cross-functional team, in due diligence and assigning them with creating an integration report can play a big role in the course of the deal a the subsequent realization of the projected net benefits of the merger or acquisition.