TPCRM in M&As: Due Diligence in the Digital Age

Along with the excitement that comes from a merger or acquisition is a significant risk of cybersecurity attacks. One CISO admitted privately that phishing attempts on companies in his privacy equity firm increased by 400% in the months after the announcement of a deal. The risk is enough that according to IBM, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration. 

That risk will only rise as mergers and acquisitions, or M&A’s have increased dramatically this year, with a surge of 130% in Q2 alone. Not only have they increased in number but also in value, with the recent acquisition of Splunk security by Cisco for $28 billion, its largest acquisition ever. 

As these deals continue, especially in the finance and healthcare industries, organizations need to adapt by building effective third-party risk management into the M&A process. 

Understanding Third Party Cyber Risks in Mergers & Acquisitions

Due diligence during M&As should not be limited to the cybersecurity risk posed directly from their own IT infrastructure, but include risks posed by third, fourth, and n-th party suppliers within their supply chain. These risks include cyber risks, regulatory non-compliance, data privacy, intellectual property concerns, etc. 

For example, when healthcare and insurance provider UnitedHealth Group acquired healthcare data analytics firm Change Healthcare, it found that many of Change Healthcare’s third party healthcare system integrations were outdated and put UnitedHealth Group at risk. In addition, it used various legacy systems that did not implement basic cybersecurity practices such as encryption and access controls. Potential vulnerabilities introduced by either the legacy systems or  the third party dependencies put UnitedHealth Group at risk for exposure of sensitive patient information previously handled by Change Healthcare. 

Why Third Party Risk is a Critical Component in M&A Due Diligence

After a merger or acquisition, the target company must restructure its cybersecurity policies to account for the data, IT infrastructure, legal contracts, and regulatory frameworks previously agreed upon by the prospective company and its third parties and supply chain. Identifying serious cybersecurity concerns during the due diligence process may demonstrate the need for improved cybersecurity posture of the acquired company, introducing new costs the buyer should be aware of in advance. In addition, identifying leaked data or company secrets may lead to the devaluation of the deal. 

Specific examples M&A deals that suffered from insufficient third-party risk management include: 

• Kroger and Albertsons’ Merger Talks (2023). The merger faces various supply chain risks that could result in operational failures that impact customer service. This currently proposed merger is suffering from numerous legal risks related to anti-trust violations and is currently experiencing numerous delays and court battles.
• Advent International and Maxar Technologies (2023). The merger between equity firm Advent International and space technology and intelligence company Maxar resulted in operational delays due to the integration of the different technologies, which impacted both project deadlines and compliance with regulatory standards. 

It shouldn’t be surprising then that companies failing to conduct comprehensive due diligence and assess third-party risks during M&A face a loss of 30% in the value of the deal. 

Key Areas of Third Party Cyber Risks in Mergers and Acquisitions

Cybercriminals know that the technological integration required during an M&A, the shift in responsibilities and restructuring of employee hierarchies, and the focus of IT resources on the integration of the two infrastructures and systems create the perfect opportunity for an attack. 

The identification and mitigation of third-party risks during this time should include:

• Cybersecurity risks that comprehensively assess the seller’s history of breaches and other security incidents, current cyber policies and best practices, adherence to compliance and remediation plans.   
• Data privacy and compliance risks as a result of different regulatory or security standards of the potential seller and its third parties. 
• Contractual obligations that fail to detail strict cybersecurity policies for third parties, include non-compete clauses and are difficult to terminate without facing penalties. 
• Operational risks due to vendor lock in or reliance on a few specific third parties that create a single point of failure.  

Cybersecurity Risks

The entire supply chain of the third party should be mapped to identify any vulnerabilities from the new business relationships, including third, fourth, fifth and n-th party suppliers. These can include but are not limited to: existing threats in the system that are currently dormant, lack of data backups, exposed sensitive data or IP information, insider threats, lack of encryption policies, failure to record penetration testing results or other types of security tests, and lack of device management security. In addition, the contractual obligations of each of these parties should be reviewed to understand the security requirements detailed and whether or not they meet the current company’s standards and regulatory and compliance requirements.

Data Privacy and Compliance

Since different organizations adhere to different regulations based on their industry, location, and internal cybersecurity policies, data protection and privacy policies are not standardized across different third parties. During the due diligence stage of a merger or acquisition, the target company must map and identify all suppliers within its ecosystem to ensure that they are compliant with the data protection regulations according to its standards. The inability to comply with the new standards can result in financial penalties, a loss in the target company’s reputation, and increase the opportunity for cyberattacks that result in operational disruption. 

Contractual Obligations

The contract with the inherited party may include third-party contracts that do not require strong cybersecurity practices such as access controls, privilege access management, or real-time monitoring. This both increases the risk of unauthorized access to sensitive data and decreases the ability to detect unauthorized access from third-party systems and mitigate promptly. In addition, the lack of a unified cybersecurity standard with all third parties may result in cyber gaps for the inherited party. Many contracts may not include protocols for fourth, fifth and n-th parties, creating additional vulnerabilities and weakening the inherited company’s security posture. 

Operational Risks

The termination of old suppliers and third parties and onboarding of new ones in addition to the integration of technologies can expose the buyer to a range of operational risks. First, the complexity involved in the integration of IT services between the two operations can result in compatibility issues that impact the data sharing and workflow automation needed for operational efficiency. 

Second, the new third parties in the supply chain may find it difficult to adapt to increased demand or change in logistics required. Finally, these new suppliers may also offer a different level of service quality, resulting in decreased customer satisfaction. Adherence to compliance and regulations may be less strict as well, opening up the door for data breaches and security violations which result in operational disruption. 

The Digital Age: Technology-Driven Third Party Risk Assessments

Since organizations now increasingly rely on third parties, with those third parties then outsourcing critical services to fourth or fifth parties, it is critical that these organizations executive third-party risk assessments continuously. One of the best ways for them to effectively scale these third-party risk assessments during M&As is through advanced digital tools that offer the latest technology. 

This includes: 

• Automation using various tools and applying it to traditionally manual workflows. 
• Data analytics and artificial intelligence (AI) that accurately predicts the likelihood of attacks based on previous data and trends. 
• Third-party risk management platforms that are critical in delivering visibility into the extended supply chain. 

Automation

Automated tools such as SRS and security questionnaires help scale due diligence by delivering continuous monitoring and risk assessments to both identify and flag third-party risks. At the same time, however, they lack the ability to ensure internal compliance. Advanced automation tools, in contrast, comprehensively assess your third party’s attack surface at three different layers: IT and network; applications; and the human layer and continuously monitor these layers to detect cyber issues and send alerts in real-time when relevant. This includes automatically calculating a risk score of the target company based on predefined criteria in addition to the security posture of its third parties. Advanced automation tools can also both create remediation plans to mitigate third party risk and ensure that a third party has sufficiently remediated its cyber gaps according to your organization’s risk appetite. 

Data Analytics and Artificial Intelligence (AI)

Since AI plays an important role in analyzing massive amounts of data, it can play a critical role in threat intelligence related to third-party risk management during M&As. It can help the target company map dependencies and identify risk, analyze past breach histories, continuously monitor third parties and their dependencies, and develop more accurate risk scoring based on any changes in its compliance, reputation, or legal challenges. AI also plays a role in automating workflows that streamline and simplify the process to scale due diligence, auditing reports, vendor risk assessments, and security questionnaires during M&As. 

Third Party Risk Management Platforms

Advanced third-party risk management platforms such as Panorays help map third, fourth, and n-th parties in an organization’s supply chain, prioritizing the different risks according to the level of criticality. This includes evaluating risk in terms of these third party’s data privacy and protection plans, adherence to compliance and regulations, incident response, and network and application security. Panorays’ AI-powered third-party risk assessments are sent to vendors regularly, verifying the answers through the gathering of relevant information of past questionnaires, vendor documents, and publicly available information. This ensures the cyber risk score, or RiskDNA, to be the most accurate on the market today. 

Steps for Effective Third Party Risk Due Diligence in M&A

To avoid a devaluation of deals, unexpected allocation of resources to upgrading technology, and unforeseen cybersecurity risks, organizations must take effective steps towards third-party risk management during the due diligence stage of an M&A. 

Step 1) Risk Identification

The first critical step in due diligence during an M&A is mapping out the target company’s supply chain, identifying third-parties and their dependencies. This should also include categorizing vendors according to their different levels of access to sensitive data, information and IT infrastructure. The target organization should use this categorization to prioritize the risks according to criticality.   

Step 2) Risk Assessment

After you’ve mapped out the supply chain, including third, fourth, fifth and n-th parties, you’ll want to assess each individual risk each supplier brings to the organization. These risks should include regulatory, operational, cyber, financial and those related to data privacy. Organizations should assign risk scores based on a combination of factors such as the results of cybersecurity questionnaires, data breach history, adherence to compliance, and implementation of internal security controls (e.g. encryption, access control, etc). 

Step 3) Contract Review

The target company should review all third-party contracts to ensure the level of risk management, responsibility sharing, and adherence to compliance meets their current standards. If not, it will need to renegotiate terms. The contract review should also examine clauses that include termination policies, minimum purchase commitments, exclusivity clauses, or other stipulations that make renegotiating of terms more challenging. 

Step 4) Cybersecurity Audit

Critical third parties should be audited to determine their resilience in the event of an attack or operational disruption. They may also include vulnerability assessments, penetration testing, adherence to specific industrial or data protection regulations (such as GDPR, PCI DSS), and whether the level of access controls and encryption is sufficiently defending the third party against vulnerabilities. 

Step 5) Ongoing Monitoring

Real-time monitoring tools should be implemented to continuously evaluate third-party risk for the target party, as cybersecurity policies, adherence to regulations, and the risk landscape evolve constantly. This is particularly relevant during a merger or acquisition when IT infrastructure is integrated, suppliers and supply chains are shuffled, and employee titles and responsibilities shift, creating more vulnerabilities for attackers. 

Challenges in Managing Third Party Risk During Mergers and Acquisitions

Attackers are aware of the different challenges IT and security teams face during a merger or acquisition that include: 

• Complexity of the supply chain. Gaining visibility of the supply chain of the seller is challenging, as many elements such as shadow IT and the extended supply chain are not easily detected. 
• Non-comprehensive assessment of third-party risk. The excitement of an M&A, especially for high-value deals, may result in a desire to rush through things and be thorough in attention to details in cybersecurity practices. 
• Integration of risk management practices across company cultures. During an integration, employee roles and responsibilities, locations, company culture and even geographies change. It may be difficult for employees to adjust to the new standards of compliance, cybersecurity practices, and technology integrations. 
• IT-resource constraints. During an M&A, the IT department is typically occupied with integrating legacy and new technologies and making them compatible with one another. At the same time, this makes their infrastructure more susceptible to attacks at a time when their focus is away from security. 

Mitigating Third Party Risks: Best Practices

Establish a third-party risk management framework for the M&A process which should include steps to take throughout the lifecycle of the deal, from planning and due diligence to integration and after the closing of the deal. For example, clear lines of accountability should be established for third-party risks after the merger has concluded which should be detailed in contracts and SLAs. The target organization may also consider engaging external cybersecurity firms for independent assessments and to take the load off of the IT and security teams involved in the M&A integration.  

The Future of Third-Party Cyber Risks in Mergers & Acquisitions

In the coming years, new technologies such as automation, AI, machine learning and predictive analytics will continue to improve risk visibility and mitigation during mergers and acquisitions. According to Deloitte’s 2024 M&A Trends Survey, generative AI can use historical data to make predictions and assist in assessing the risk associated with an M&A. With the continually evolving regulatory and risk landscape, M&As will also start to focus more on regulatory scrutiny and compliance as a strategy to mitigate the time and resources needed to address cybersecurity issues afterwards and potential for devaluation of a deal. 

Third-Party Cyber Risk in Mergers & Acquisitions Solutions

Not all mergers and acquisitions make it to the closing stage. Over 70% of them fall through for various reasons, including challenges in integration. Organizations often underestimate the time, resources and complexity involved in combining their IT infrastructures while minimizing operational disruption. Today executives realize the importance of third-party risk management from the earliest stages of a merger or acquisition, its impact on its own cybersecurity and the deal valuation. Taking the cybersecurity posture of third parties seriously at the earliest stages should help see more of them succeed.   

Want to optimize your third-party risk management during critical times such as mergers and acquisitions? Contact Panorays to learn more.