The risks in mergers and acquisitions CISOs need to know

A failure to consider cybersecurity when it comes to engaging in an M&A deal, as Winzer put it, is like driving blind without any mirrors. “You can be very easily attacked and become prey to cyber attackers, and if that were to happen what’s at stake is business operations, being able to run the company as profitably as possible, but also to suffer disruption and suffer a financial loss,” she explains. “There can also be very specific impacts on occupational health and safety. As an example, depending on the type of organization and industry, if it’s the healthcare industry, there may actually be an impact on patients and people who need vital support.”

What areas CISOs should look into during the M&A process? 

There are a few cybersecurity risks that M&As bring to haunt CISOs. Experts from major consulting firms have shared some of the main ones CISOs should be aware of and make sure their CEOs and boards are on top of before the process begins. These include ensuring that technology and governance are up to date, checking all third-party agreements and services to ensure they meet necessary cybersecurity requirements, being aware of opportunism by cyber criminals, and watch out for dormant attackers.

Technology and governance might not be up to scratch

An obvious risk, according to CyberCX financial services lead Shameela Gonzalez, is when two companies are trying to merge two different technology stacks. “It’s really important to understand what risks could be created as a result of merging and consolidating those, and how do you still make sure that the coverage you once had as a standalone entity maintains itself once you’ve now incorporated a whole new technology stack,” she says, pointing out that one company is likely to have a better cyber posture than the other.