M&As are a staple of global commerce, allowing corporations to build market share, expand their international reach, diversify products and services, and acquire technology. Many are hugely successful for the businesses and their shareholders, with the likes of Disney’s purchase of Pixar - and later Marvel, the Exxon/Mobil merger and Facebook’s acquisitions of Instagram and WhatsApp largely seen as big M&A successes. There’s a constant conveyor belt of deals, with the newly proposed Virgin Media/O2 merger among the most recent high profile Mergers & Acquisition (M&A) stories.
However, there are plenty of deals that don’t end so well. This can be because of outside factors such as changes in the economy, market disruption or regulation. Some failures could also be because of gaps in integration execution, or the failure of expected sales to materialise. It’s a long list, including the likes of Microsoft’s acquisition of Nokia, which resulted in significant job losses among the Nokia workforce and a big financial hit for Microsoft. Similarly, Yahoo’s acquisition of social networking platform Tumblr in 2013 is now variously described as a failure/waste of money - a $1.1billion price tag eventually led to a $230 million write down.
Every M&A transaction brings with it complex and detailed due diligence, and - when deals proceed - integration processes that will influence the success of the deal as a whole. A feature of today’s M&A processes is that they are becoming more complex due to the reliance every business places on its technology infrastructure and the challenges of bringing completely separate systems together.
As a result, it is imperative that companies properly evaluate the IT infrastructure of potential acquisitions in order to safeguard customer, company, and partner data, and ensure the integrity of business-critical systems. But, cybersecurity is becoming a common blindspot for the organisations involved, resulting in serious new vulnerabilities that stifle the efforts of leaders to successfully integrate platforms, solutions and services. An example of this is when larger companies using legacy on-prem solutions acquire younger startups that have a much bigger emphasis on cloud solutions. This can add to the complexity of the M&A process because the two organisations will have different security strategies in place.
A look at the Marriott/Starwood acquisition underlines the potential impact of a cybersecurity due diligence failure. The deal created one of the largest hotel chains in the world and part of Marriott’s subsequent strategy was to create a new loyalty program that would give existing Marriott and Starwood customers access to over 5,500 hotels in 100 countries. However, a failure of due diligence during the M&A process allowed an attacker - who breached Starwood’s infrastructure before the acquisition - to remain undetected and download their customer data. After the breach was uncovered, Marriott was eventually on the receiving end of a £99 million GDPR penalty.
So the point is, organisations participating in M&A activities must have full visibility into their own systems as well as those of the companies they are acquiring, if they are going to give security the attention it needs during a takeover process. For example, if an unauthorised user with administrative access is making requests for data on a database with customer information, the acquiring firm must address that security concern beforehand. Additionally, encryption of data across all applications, data lakes, and beyond can also help protect sensitive data.
The upside of bringing enterprise IT systems and data together securely is that both organisations can have the potential to benefit from the shared capabilities, tools, processes and experience of their teams and technology. Relegating it to a side-issue during M&A activity risks serious breaches, is distracting from the integration process and can seriously compromise comhard-won corporate reputation.