'The Risk Call' Monthly Webinar Register     'CYBERWatch' Monthly Newsletter  Register



M&A and Cyber Risk


Mergers & Acquisitions are inherently a process of uncertainty. This can allow unforeseen risks to emerge. Additionally, cybersecurity risk is a major source of potential loss if not understood thoroughly, and this can affect valuation assumptions in any M&A transaction. Furthermore, the acquisition of an organization that has a highly effective cybersecurity program, will typically find that the to-be-acquired entity will have a less strong set of cybersecurity protections.Side image 10

Many M&A processes are under-attentive to cybersecurity risk. This can often result in under-funding of needed cybersecurity upgrades and remediations. Ultimately, this can adversely affect the overall economic benefits the merger was intended to yield. We know, for example, that there have been mergers where up to $100mm has been written down as a result of discovering unexpected cybersecurity issues.

Once the two entities are integrating systems, staff and processes, an imbalance of this type will often cause the cyber risk effectiveness of the newly-combined entity to erode from their previous state. Identifying the specific areas that are most important for remediation in the merger integration is essential, in order to target specific initiatives. Additionally, there is a unique opportunity to properly fund needed cybersecurity initiatives under acquisition accounting. But to do this, the specific efforts that are most needed must be identified.

To address these needs, first it is necessary to run a fresh Risk Profile on both the acquiring company and a separate Risk Profile on the to-be-acquired entity. Once these two are complete, we have the ability to run a valuation-weighted “to-be” Risk Profile on the combined entity. We then use a comparative analysis to graph the differential exposure to specific risk types. This shows all stakeholders not only the comparative status of each organization, but the projected status of the newly combined entity, post-integration. Finally, the Thrivaca ROI analysis is used to identify the highest-value strategies and remediations to be included in the overall M&A integration process.