M-A activity can offer CFOs a unique opportunity to ramp up cybersecurity levels with greater investment and integration. Cybersecurity may not be a core competency for most CFOs, but it has huge bearing on their responsibilities. A successful data breach can cost victims costs victims around $4 million on average, not including damage to reputation and future sales.
M-A's also offer particularly attractive targets for hackers, the vast majority of whom are in it for the money.
Not only does the process of systems integration between both firms often create incompatibilities between applications and processes that hackers can exploit, but sensitive financial and customer data is also moving around much more, and faster, than usual as employees scramble to complete the deal and merge operations.
In this often chaotic milieu, substandard cybersecurity on one or both sides of the merger can prove costly – or even scuttle the deal altogether.
Cybersecurity should, in fact, make up one of the CFO's top priorities during a merger, precisely because of its large risk quotient. The best way to minimise those risks? Use the merger as an opportunity to refresh cybersecurity entirely.
Doing the groundwork
CFOs should put cybersecurity on their due diligence list from the earliest stages of a merger. Without a detailed audit of both organisations' systems, networks, and devices, CFOs and their CIO counterparts won't know the breadth or depth of risks that they face. Cybersecurity documentation from the target organisation can offer insight into how well their technologies and policies hold up under attack.
If that documentation doesn't exist, CFOs can escalate the matter by bringing in third-party assessors to conduct independent reviews and tests. Given the financial, legal and confidentiality risks of a breach, the CFO should make cybersecurity audits a necessary precondition to any M-A activity going ahead.
Investing in a refresh
In every M-A, it's the CFO's job to eliminate inefficiency. The same principle applies to cybersecurity inferior systems can cost the business not just in operational expenditure, but also in greater potential for breaches and greater risk.
During a merger, most CFOs will find that the firms' different networks, systems, and policies won't easily work together unless they've been explicitly designed to. And the cost of adopting an entirely new platform, while significant, often pales in comparison to the ongoing expenses and time spent trying to merge two incompatible cybersecurity platforms with one another.
A single integrated platform also allows CFOs to improve efficiency even as they minimise cyber risks. Fully-integrated platforms can deliver far higher degrees of automation when it comes to analysing and responding to threats, whether posed by suspicious files or unusual network traffic.
These automated responses often prove more accurate and consistent than manual tracking, which can miss more complex threats or subtle correlations that foreshadow an attack. A refreshed cybersecurity platform may cost more upfront, but it'll save the CFO from future costs like additional headcount, lengthy systems integration…and the spectre of a threat slipping through the gaps.
Take defences a step further
In performing a full refresh of their systems, CFOs and CIOs should consider taking their cybersecurity technology to the next level. New approaches and innovations can keep the merged organisation one step ahead of cybersecurity threats: internal network segmentation, for example, controls traffic going between different parts of the network, so that a breach to one doesn't necessarily compromise the rest.
With hackers increasingly spending a longer time snooping around on networks before they launch an attack, such defences can significantly reduce the risks and costs of potential breaches.
CFOs should view M-A's as a chance to reduce their cybersecurity risk levels now, and for the future. By setting cybersecurity as a due diligence priority, they can make sure that they invest the pooled resources of post-merger organisations into more robust and consistent security – and steer their fellow decision-makers away from M-A targets whose lack of cybersecurity may make them more of a liability than an asset.