Security professionals are increasingly concerned by cybersecurity risks that arise as a result of mergers and acquisitions transactions, particularly the use of cyberespionage to gain information on the competition.
A recent report published by FireEye warned of companies engaged in M&A discussions using cyberespionage to access information about competing parties to gain favorable terms. The report, titled, “Unsealing the Deal: Cyber Threats to Mergers and Acquisitions Persist In a Hot Market,” found that “multiple China-based threat actors” appeared to have breached companies “in sizeable deals involving Chinese state-owned enterprises."
FireEye threat intelligence analyst William Glass said the firm has seen corporate espionage campaigns by Chinese APT groups targeting executive emails, financial statements, and documents related to executive insurance policies and wills. “China is not interested in stealing all of the intellectual property that it can,” he told SCMagazine.com. Rather, he said the company has observed state-sponsored attacks in which information that allows Chinese companies to acquire private companies at the “absolutely lowest price,” he said.
The APT group espionage campaigns may have been prompted in part by the cyber agreement that the US and China signed last September. Terms of the agreement between the two countries to not engage in cybertheft of intellectual property requires a high burden of proof, said Glass. A foreign company that produces a product identical to a U.S. company's product is often a “red flag,” while theft of information related to a target company's lowest acceptable buyout offer “is harder to prove.”
One security professional told SCMagazine.com the cybersecurity capabilities of target companies are increasingly necessary to increase deal value. Bay Dynamics VP of program management Steven Grossman said legal and private equity firms are paying more attention to the cybersecurity posture of companies being considered as a potential acquisition target, especially those companies sought by corporate acquirers. That trend “is going to drive a lot of behavior,” he said. As an example, he said security issues “are going to reduce their valuation.”
M&A deals come with many data loss prevention risks, iManage head of security and compliance Miguel Contreras told SCMagazine.com. During the merger process, “disgruntled employees” worried about job security create additional risks as potential insider threats, he added.
iManage Dan Carmel said storing information in a secure environment is a unique challenge during the M&A process.
In a report published by Freshfields, 90% of M&A deal professionals said a data breach could affect deal valuation. Eighty-three percent of the investment bankers, financial and corporate investors, and legal advisors surveyed expected an M&A deal may be abandoned if a previous breach was discovered.