Forescout Technologies has announced the results of its merger and acquisition (M&A) cybersecurity risk survey.
The study, The Role of Cybersecurity in M&A Diligence, surveyed more than 2,700 IT Decision Makers (ITDM) and business leaders from United States, France, United Kingdom, Germany, Australia, Singapore, and India (372 respondents), wherein Indian IT decision makers were found to experience some of the highest cybersecurity issues (63%) during M&A activities. 94% of respondents also agree that they are putting more of a focus on an acquiree’s cybersecurity posture than in the past.
The survey was conducted to examine the growing concern of cyber risks and the importance of cyber assessment during M&As and subsequent integration process. According to the survey, 53% of global respondents report their organization has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy. Cybersecurity concerns discovered after consummation of the deal often present costly risks that would have been factored into the deal negotiations and/or may have led to the dissolution of the deal. After closing the acquisition, 65% of global respondents experienced buyers’ remorse, regretting the deal due to cybersecurity concerns.
Ramsunder Papineni, Regional Director-India and SAARC, Forescout said, “M&A initiatives are usually time-bound with discussions and negotiations often running at a much faster pace. The business dynamics often make the cybersecurity concerns go overlooked in the grand scheme of things. However, any unnoticed IT anomaly can either cause a breach immediately or later emerge as a vulnerability that gets exploited by cybercriminals. This makes cyber due diligence more imperative for M&A businesses than what they typically believe.”
The survey highlights the following findings:
• Proper cybersecurity evaluation takes time, but acquisitions often run on fast track. Many deals face a race to get across the finish line. 54% of Indian respondents strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
• More focus on cybersecurity risk during M&A is needed. Eighty-one percent of ITDMs and BDMs agree that they are putting more focus on an acquisition target’s cybersecurity posture than in the past, highlighting that cyber is a top priority for both IT and business decision makers.
• Connected devices and human error put organizations at risk. When asked what makes organizations most at risk during the IT process, two answers stood out: human error and configuration weakness (69%) and connected devices (50%). Devices often get overlooked and missed during integration as over half (55%) of Indian ITDMs say they find unaccounted devices, including IoT and OT devices, after completing the integration of a new acquisition.
• Prevalence of cybersecurity issues. More than half (63%) of survey respondents report their organization has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy. Further demonstrating the potential consequence of a security incident, undisclosed data breaches have become a deal breaker for most companies. Eighty-three percent of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.
• Internal IT teams may lack the skills to conduct cybersecurity assessments. Among Indian ITDMs, only 54% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to lack of resources, organizations must allocate outside resources to their cybersecurity assessments and/or may not be able to complete a robust assessment.