Pursuing acquisitions and joint ventures – a cyber security perspective

March 2025  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2025 Issue

As organisations are well into the New Year and businesses accelerate first quarter goals, the role of the cyber security professional is, among other things, to help business clients make good risk decisions that enable that ‘next big thing’. This could include acquisitions, joint ventures or mergers between complementary organisations. In any of these scenarios, an entity will undertake due diligence on the target or partner, from finances to reputation to business practices. What may be overlooked is an organisation’s cyber security posture and protocols – a mistake that can result in lost revenue, trust and reputational damage, and business disruption.

Today’s leaders must consider risks and implement compensating measures to protect the business from being impacted by cyber security risk. Business leaders often rely on cyber security professionals to be one step ahead of the seemingly small issues, as well as the catastrophic cyber incidents that were too often in the news during 2024. Staying ahead can often rely on looking back, benefitting from the lessons learned during incidents of days past to inform response to incidents in the future, as well as the mitigation strategies to prevent them.

Many leaders in business treat mistakes as learning opportunities, embracing them to move forward and ‘do better’ next time. When it comes to cyber resilience, leaders effectively use mistakes to reinforce standards, identify efficiencies and drive a positive outcome. It can be difficult to focus on that eventual positive outcome when that crisis email comes in just before that long holiday weekend, demanding immediate attention, or when there is a deadline to meet for a due diligence review on a target’s cyber programme in order to keep a deal on track. Often, those crisis events are the result of some mistake. The due diligence that is being undertaken can uncover a vulnerability that could otherwise tank a deal. Leaders and executives must rely on experience to prepare teams to deal with some of the most challenging incidents that organisations face.

In 2024, many of the challenging incidents that cyber teams responded to include a suite of recurring factors: M&A events, an immature victim cyber security programme extortion event, ineffective due diligence, and publicity about the incident. This can be illustrated through an example. In the months following an acquisition, a multinational organisation was notified of a high volume of traffic between its corporate perimeter and a known malicious internet protocol (IP) address. Law enforcement made the notification to the business and initial analysis revealed that a well-known threat actor group stole data from the business. Subsequently, the threat actor encrypted all the business’ servers. As is often the case, a ransom note was left on client systems by the threat actor, demanding payment in Bitcoin to release the decryption key. If not paid, the threat actor threatened to post online the stolen sensitive company property and customer information. Naturally, company leaders were quick to rally and demand details regarding what happened. They asked: How did they get in? What did they do after they got in? What did they take? When will we know the actors are removed from our systems?

In this incident, the organisation had recently acquired another manufacturing business that was new to the market and making great progress growing its brand. Unfortunately for all, rapid growth in the market did not translate to internal rapid growth in cyber security investments. The business did not invest in a dedicated cyber security cadre and thus it lacked sufficient asset management and monitoring. Regrettably, this resource allocation mistake is common for businesses experiencing rapid growth. The incident investigation found that the threat actor socially engineered an employee, delivered malware and quickly elevated privileges. Once sufficient access was attained, the initial access team sold that access to the highest bidder on the dark web. That highest bidder was an extortion group that quickly went to work. The dwell time between initial access, encryption and ransom demand was 72 hours.

A common question repeated in incidents such as these is often, “How did we get here?” A post-mortem investigation will typically be able to trace the origins of the initial breach. In many cases, the lack of a cyber security response plan can prove catastrophic for a merged entity. Moreover, organisations need to update their information security plan or set of procedures that included the requirement for dedicated oversight following a merger event. It is critical when merging two entities that leaders ensure key technologies, people and practices are in the right place and that technology is deployed in a secure manner. Finally, entities must ensure they are actively promoting an environment with host-based monitoring or basic segregation practices that would defend the acquiring company from risk inherited from the newly purchased entity.

While many leaders leverage mistakes as a means for improvement, when it comes to cyber security, mistakes must be minimised to ensure the health and protection of a business. As the old adage goes, ‘an ounce of prevention is worth a pound of cure’, and due diligence plays a critical role when joining two systems. It is important for those seeking to merge with or acquire a company to embark on effective due diligence reviews before buying or acquiring a business. Discovering a business needs significant cyber security investment after a purchase is simply too late. Additionally, merging information technology functions without a comprehensive due diligence review can disrupt the very foundation of a business, and thus result in negative impacts to functionality, and short- and long-term goals.

It is true that mistakes can be learning opportunities, but in order for them to have true value, they must be used to ‘get better’. Looking at the coming months in 2025, organisations must take stock of 2024’s mistakes and ensure those lessons learned have been put to use. When it comes to M&A, organisations can learn from others’ mistakes by ensuring strong cyber due diligence measures are taken, investment risk assessments are thorough, and risk management frameworks are in place to address potentially catastrophic cyber events. Cyber security is an issue for organisations before, during and after a transaction event. By taking an ‘always on’ approach to cyber, businesses will have stronger resiliency both now and in the long term.

 

Steve Kopeck is a partner at StoneTurn. He can be contacted on +1 (303) 241 8266 or by email: skopeck@stoneturn.com.

© Financier Worldwide

BY

Steve Kopeck

StoneTurn

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.