Mergers and acquisitions: a new target for cyber attack

Media, pharma, automotive, financial services and now manufacturing – whatever the sector, mergers and acquisitions are on the rise.

The frenetic pace of due diligence required to make these deals happen keeps hosts of legal and accounting professionals busy long into the night.

But as M&A practitioners on both sides of a transaction digitally share documents to assess and evaluate a client’s business risk, they could unconsciously expose their customer’s highly sensitive information and their own organisations to a growing threat.

The most common way for malware to enter an organisation is through documents and digital files – most commonly as email attachments.

>See also: Cyber security guide to the 10 most disruptive enterprise technologies

Word, Excel and PDFs all present an easy way to embed malicious code that can be exploited later – either to take down systems or steal information.

Until now, organisations have relied on two main technologies for protection from this threat: anti-virus software and sandboxing documents.

The first was supposed to stop anything ‘bad’ coming into an organisation and the second, if anything did get through this first layer of defence, would quarantine and analyse the file in a safe environment before it could do any damage.

Anti-virus does not work. Even some of the leading software manufacturers now admit that it is only effective 45% of the time.

Think about what this means to the M&A process – hundreds if not thousands of documents flying back and forth, with nothing to check that they are safe and clean.

It is hardly surprising that the The Institute of Chartered Accountants of England and Wales (ICAEW) has voiced its concern that the corporate finance community is a ‘deep seam of information waiting to be mined’ by those with malicious intent.

The nature of corporate finance – from the number of players involved in a transaction to the volume and sensitivity of the commercial information shared throughout the deal process – makes it an ideal target.

Whether cybercriminals seek to extract information around the timing of proposed transactions, financial terms and prices, customer and supplier data or invaluable intellectual property – letting them in through documents could not only have a material impact on the transaction, but also open all parties to increasingly sophisticated malware.

And when it comes to sandboxing – isolating and inspecting files takes time. Time to move and quarantine the file, time to analyse what is ‘bad’, fix it or decide that it is safe and then release it once this forensic process is complete.

Although the principle of taking potentially ‘bad’ files away from where they can do harm to examine them, is a pragmatic approach, there is no avoiding the fact that it disrupts workflow and slows down business and speed is critical to the M&A process.

The ICAEW urges companies to assess potential threats to their critical information assets and put in place adequate measures to prevent any incident that may compromise the value of those assets.

But how will professional advisors protect documents without AV or impact the speed and efficiency of transactions while documents languish in quarantine?

The ICAEW clearly states that no organisation is immune from cyber security threats recognising that ‘as organisations become better at protecting their valuable information, so those with malicious intent will find new ways of compromising the flow of information and data across corporate networks.’

The process of due diligence is all about verifying financial health and risk – the risks of insufficient information security controls can seriously impact both the health and risk profile of the organisation.

This is why professional advisors need to make cyber security a component of due diligence.

The right questions need to be asked about all the participant’s cyber security processes and controls, and the right technology solutions need to be invested in to ensure that documents shared in the disclosure process do not expose every participant in a transaction to the threat of security breach.


Sourced from Greg Sim, CEO, Glasswall Solutions

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Mergers and Acquisitions