From miscalculations to changing regulations, dealmakers are well-aware of all the risks involved in a potential merger or acquisition. However, the emerging threat of a cyber attack is still being overlooked, say experts. They offered four ways to help a deal from being derailed.

In November 2021, the FBI issued a Private Industry Notification highlighting the fact that ransomware groups were weeding through publicly-available information for “time-sensitive financial events.” Put simply, professional hackers were digging up private information of companies involved in sensitive M&A negotiations to derail the deal, trade on inside information or manipulate stock prices unless the parties involved paid a ransom.

“Ransomware is particularly effective because if access to information is restricted, that can prevent deals from closing,” says David Dunn, senior managing director and head of EMEA Cybersecurity at FTI Consulting. He says this type of attack is fairly common but is only the tip of the iceberg. M&A activity faces several other cybersecurity risks that could be just as disruptive.

Business Email Compromise or BEC is another common attack. Cyber attackers can hijack or mimic the email address of a trusted figure within the organization to extract money or information. “BEC scams are also commonly used because the targets are often expecting wire transfer requests as part of a deal, and if timed correctly, this can result in the fraudulent exchange of funds,” Dunn explains.

With annual M&A activity involving trillions of dollars, the results of intercepting wire transfers could be disastrous.

The threat doesn’t end when the deal is completed. “Deal announcements bring significant attention, including from threat actors looking to take advantage of the resource constraints organizations feel during transactions and compromise newly acquired organizations,” Dunn says. “During diligence, buyers should identify if any significant baseline gaps exist in controls or technology tooling and ensure they are remediated ahead of either closing the transaction or announcing.”

The rise of remote work in recent years may have magnified some of these risks. Dunn says a remote workforce is more vulnerable to a new form of cyber attack known as Shadow IT. This attack involves the unauthorized use of a company’s software tools or mission-critical IT systems.

“Organizations may not have a proper understanding of what employees downloaded and are using for work purposes, which means inaccurate information is passed to investors and dealmakers, putting their deals in jeopardy,” he says. “It is something that should be on the minds of all investors and dealmakers, yet I worry it is not being fully considered. ”

To mitigate the risk, Dunn suggests four action items for buyers:

  1. Insist on a cybersecurity audit of their potential targets
  2. Place firewalls within the organization to prevent the spread of malicious malware
  3. Encrypt sensitive data
  4. Implement two-factor authentication to protect software tools and communications

Staff training and cybersecurity insurance can also mitigate the risk, he says.

Vishesh Raisinghani