M&A: Hidden risks in the applications you just bought and didn't know about
Mergers and acquisition (M&A) of products, capabilities, and companies has become a common strategy for business growth. Although, M&A transactions saw a decrease in 2020 because of the Covid19 pandemic, trends in acquisition and consolidation of companies remain strong. In fact, since 2000, more than 790’000 transactions have been announced worldwide with a known value of over $57 trillion USD.
There are high stakes in M & A. Companies are taking great risks in terms of their economic future when acquiring assets of a target company. A great amount of due diligence is invested in the M&A process to discover potentially harmful legal claims, tax issues, environmental issues, and confirming that the target company assets are provable, real, and unencumbered.
In our budding digital era, the same focus must be applied to due diligence of software applications that serve as the core operation center of a company. An undiscovered vulnerability can seriously undermine the value and optimization of an acquisition.
It is all about risks. “A damaged asset is worth less,” according to Sean Wessman, a Principal at EY’s Americas Risk and Cybersecurity Practice. “Cybersecurity issues potentially affect M&A in a number of ways. Given how costly data breaches can be in both tangible and intangible terms, acquirers want to get as much certainty as possible about the risks they are buying in a deal. “The Role of Cybersecurity in M&A - Journal of Cyber Policy
With software applications due diligence requires knowing what you have and what you do not have. Are the applications configured correctly, is there any hidden malware, are there risky legacy programs attached to the applications?
Testing of Software Applications Integral to M & A Process
There is only one sure fire way to mitigate software application risk, at that is through comprehensive testing. Testing identifies vulnerabilities and allows for understanding the cyber- risks they are obtaining in a deal. Before the mergers & acquisition formally proceeds, all acquired application software should be tested to detect all variations of malware, known and unknown. Sometimes, the potentially acquired company does not even know fully what devices or applications they have operating in their own networks.
Testing can proactively discover vulnerabilities in legacy applications, distribution of IT assets, and many other use cases, including how the data and intellectual properties acquired are protected.
In conjunction with application testing, the cybersecurity M & A Process should explore the proper business alignment and maintenance of all acquired applications and be part of a larger framework. For example, the Kroll Cyber Due Diligence for M & A infographic below provides a working overview. It should be noted, cyber due diligence, including testing of applications, is also important for post transaction operations.