Mergers & Acquisitions Trigger Unique Cyber Challenges: What Businesses Should Do to Overcome It

By Kyle Kappel, US Leader for Cyber, and Hugh Nguyen, US Practice Leader, M&A Technology Center of Excellence

Cybersecurity threats are increasing exponentially each year, impacting functions across the enterprise, and the M&A process is no exception. The often-overlooked vulnerabilities and threats that arise during these transactions are cause for concern, prompting the need for organizations to prioritize cybersecurity measures to safeguard sensitive data and protect their investments. 

The Challenges

When companies merge, it creates significant cybersecurity challenges in two main ways: firstly, challenges arise in integrating disparate security infrastructures, and secondly, an M&A transaction brings together diverse organizational cultures which presents its own challenges from a cyber perspective. Yet the limited involvement of IT and cybersecurity within M&A teams can lead to cybersecurity considerations taking a back seat early in the process, potentially resulting in unforeseen vulnerabilities and risks.

Let’s take a look at each of these two substantial challenges.

When two companies merge or one acquires another, they often have different systems, protocols, and technologies in place to protect their data and networks. Integrating these diverse security infrastructures can be a complex task, as it requires aligning and harmonizing different approaches to cybersecurity. Failure to properly integrate these systems can create gaps in security, leaving the newly formed entity vulnerable to cyber threats.

Separately, organizations face the difficulty of integrating diverse organizational cultures. Each company involved in the merger or acquisition may have its own unique approach to cybersecurity, including different policies, practices, and levels of awareness. Bringing these cultures together can create friction and inconsistencies in cybersecurity practices. It is crucial to establish a unified cybersecurity culture that aligns with the overall security objectives of the newly formed entity. Failure to do so can result in confusion, gaps in security awareness, and potential vulnerabilities that can be exploited by cybercriminals.

Advice to Businesses

So, what should businesses do to overcome the cyber risks inherent in the M&A process?  

KPMG has four key recommendations:

  1. Require a Security Assessment of the Target Firm: Including the cybersecurity team in the process from the outset can help avoid many headaches down the line. It is essential to ensure that the security team or the Chief Information Security Officer (CISO) is brought in early in the process, and always has a seat at the table.
  2. Understand the Risk of the Data Environment: Acquiring or merging companies must be able to evaluate security requirements that could impact the data environment. This understanding is crucial for assessing the state of security in the acquired company. Organizations without broad internet-facing landscapes may still be subject to security risk due to poor or non-existing governance of API usage and single sign-on (SSO).
  3. Conduct Cybersecurity Due Diligence: Prior to M&A activities, it is essential to conduct thorough cybersecurity due diligence to uncover any security risks and liabilities, as well as the costs for remediation. This assessment will help inform investment decisions and legal documents.
  4. Engage Early in the Transaction: Building a view of cyber risks and costs from the outset of the deal can help quantify the liability and develop a robust cyber story, enhancing the case for a strong exit valuation.

The Bottom Line

In today's rapidly evolving cybersecurity landscape, businesses involved in M&A must prioritize cybersecurity measures to overcome the challenges that arise during these transactions. By conducting thorough cybersecurity due diligence, engaging early in the transaction, and quantifying cyber liability, organizations can safeguard sensitive data and protect their investments, ultimately ensuring a more secure transition.

Media Contact

Melanie Malluk Batley

Melanie Malluk Batley

Associate Director, Corporate Communications, KPMG US

+1 201-307-8217











Related content