Cybersecurity risks rise during mergers & acquisitions

An analysis by ReliaQuest has revealed significant cybersecurity challenges companies face during mergers and acquisitions (M&A) processes.

The study found that 50% of M&A-related cybersecurity incidents among their customers in 2024 were non-malicious, involving employee policy violations or other non-malicious activities. Issues in this category included integration-induced investigation delays, policy and compliance challenges, and problems with internal tools.

The remaining 50% of incidents were malicious, with evidence from cybercriminal forums indicating that threat actors actively target businesses engaged in M&A processes. These actors exploit perceived security weaknesses, as employees are often occupied with merger logistics, allowing cybercriminals to remain undetected for longer periods.

The analysis highlighted that the manufacturing sector was most affected, accounting for 42% of M&A-related incidents. This is likely due to the sector's reliance on legacy systems and operational technologies, which can complicate updates and incident response, problems that are exacerbated during an M&A process. Other affected sectors include finance and insurance, professional, scientific, and technical services, and retail trade, each accounting for 8% of incidents.

The report underscores the security challenges that arise when integrating newly acquired entities. Security teams need to align the acquired company's tools and practices with the acquiring organisation's standards and protocols, which can be complicated.

In a notable example, a private equity Chief Information Security Officer (CISO) reported a 400% spike in phishing attempts targeting companies they acquired after M&A deal announcements. The threat is compounded by internal dynamics, such as job security concerns, which can erode employee morale and performance, indirectly compromising security postures.

Cybercriminal interest in M&As was also highlighted in dark web discussions. Posts on forums such as XSS have noted the potential value of insider information related to competitors' long-term goals and M&A plans. Queries about monetising stolen M&A details have emerged, with suggestions including insider trading and blackmail.

Data leaks are another significant risk, as illustrated in posts on the BreachForums that expose personal and sensitive company information of firms involved in M&A. Incidents of such data being offered include a US retailer's customer data and a Japanese construction company's employee credentials.

To combat these challenges, ReliaQuest offers several recommendations. Providing thorough training on new equipment and policies, performing pre-due-diligence cybersecurity assessments, implementing network segmentation, and establishing a unified logging framework are all suggested strategies. Additionally, using platforms like ReliaQuest's GreyMatter can aid in monitoring and reinforcing security measures.

The dynamic nature of cybersecurity threats during M&As is further complicated by factors such as evolving legislation and ransomware tactics. For example, potential regulatory changes could lead to relaxed cybersecurity standards, increasing the need for diligent audits and assessments.

Finally, the growing trend of cloud adoption poses additional vulnerabilities during M&A transitions, with companies potentially exposed to cloud-based threats that can exploit cloud APIs and unsecured SSH keys.

ReliaQuest stresses the importance of enhancing visibility, communication, and defense strategies during M&A processes to mitigate risks and ensure successful integration.