On November 9, the Center for Long-Term Cybersecurity (CLTC) convened an online panel discussion focused on the key findings from Moving Left and Right: Cybersecurity Processes and Outcomes in M&A Due Diligence, a white paper that integrates insights and best practices to help organizations improve their consideration of cybersecurity risk as part of a merger or acquisition.
Prakash Krishnan, who has worked in leadership positions at Honeywell, Hewlett Packard, Cisco, and Juniper Networks, provided an introduction to the framework. He was joined by Jason Button, a Director at Cisco who leads the company’s Security and Trust Mergers and Acquisitions (M&A) team, and Mohammad Iqbal, an Information Security Architect in the Cisco M&A team. The panel was moderated by Ann Cleaveland, Executive Director of the Center for Long-Term Cybersecurity,
“This research is emblematic of [CLTC’s] focus on foresight in cybersecurity, and our efforts to expand who participates in cybersecurity in the broadest sense,” Cleaveland said. “It came out of the insight that cyber risk in mergers and acquisitions is increasing. It’s fraught with market failures. It has tremendous consequences for the financial performance of the deal down the line. And while individual best practices may exist inside specific companies, there’s not a systematic framework that people at companies large and small can use to get ahead of cyber risk in deals. We hope this conversation will help all of you get ahead of cyber risk that’s just around the corner.”
Krishnan explained that he was motivated to undertake the research after observing the significant role that cybersecurity played in major mergers, such as the Verizon-Yahoo merger of 2017, when Yahoo’s disclosure of past data breaches led Verizon to lower its acquisition price. “We had two global brands, two well-run companies completely missing the ball in terms of cyber risk consideration,” Krishnan said. “There were systematic failures inside Yahoo between the operation team and the leadership team, and a lack of communication between the leadership team and their board…. The net result of all of this was a $350 million deal erosion, and Yahoo had to absorb significant financial liabilities even after the merger was completed.”
The report, he said, sought to identify a repeatable process that firms can use to assess the cybersecurity practices of a potential merger partner. “The question was, is there a better way to embed cybersecurity consideration into the process?” Krishnan said. “And the answer was an absolute resounding yes. But as a practitioner… there are some structural hurdles that we need to be aware of…. The question for all of us is, how do we embed cybersecurity in the context of these structural hurdles? This is really a change management issue for all of us involved in the M&A process.”
Krishnan explained that the research entailed an extensive review of examples of M&As “where things worked and didn’t work,” as well as interviews with practitioners from different sectors, in the United States and around the world. “This gave us a foundational, 360-degree view in terms of what an ideal state should be for cybersecurity risk assessment,” he said.
Among the key findings of the research, Krishnan explained, is that the relative autonomy of an acquired firm plays a major role in determining what programs or policies should be put in place. Firms should also look to existing frameworks, such as the NIST Cybersecurity Framework and the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework, as they “provide a rich context in terms of how cybersecurity should be viewed in the context of running a business.”
Business leaders involved in a merger or acquisition also need to “elevate the conversation to have a business outcome conversation, versus just a checklist conversation,” Krishnan said. “All the practitioners we spoke with said, give us a process that can be adapted for my industry, geography, and business model. And we have attempted to do that as part of this project.”
The framework provides guidelines for steps to take “from left to right” during a merger or acquisition, i.e., at different phases of the deal cycle, from initial scoping of interest through the merger and beyond. “As you’re going through the due diligence process, you want to look under the hood and understand what kind of practices the target company has in place,” Krishnan said. “You want to be able to build cybersecurity risk maturity within your organization over time.”
Cisco’s Jason Button said that the framework closely mirrored his own team’s process, and accurately emphasizes the importance of getting cybersecurity professionals at the table early on in the M&A process. “It gave us the confidence that we were doing the right things,” Button said. “The report talks about the ‘primary actors’ [in the M&A process] like the board members, executives, business development team, and cybersecurity professionals, who should all be part of that list. That’s what I and others in the same role have been trying to achieve for so long, to have a primary seat at the table so we can help them shape the deal and call out where risks are or if it will lead to increased costs.”
Mo Iqbal similarly noted that the framework allowed his team to validate their existing practices. “One of our key strategies, from an M&A perspective, is to be as aggressive as possible during an acquisition deal on how we could actually start injecting security from the onset of the deal itself,” he said. “It’s easy to jumble up a lot of this thought process when you’re in the thick of things. What this research allows us to do is separate the various phases that we’re engaging with. I love the fact that you actually are identifying the preliminary negotiations and sourcing targeting before the due diligence…. The way the report actually breaks the research down into its various phases, and homes in on exactly what’s going on, gave me the insight, is there an opportunity for us to do even better? This is something we can utilize in our future deals.”