Cybersecurity due diligence is key to M&A success: Alvarez & Marsal’s Suryawanshi

While mergers and acquisitions (M&A) can help businesses deploy capital and achieve a competitive advantage, they can also create significant cyber-risks including the theft of valuable intellectual property, exposure of confidential data related to the M&A transaction, monetary loss, damage to brand reputation, and legal liabilities. In an exclusive interview with TechCircle, Chandra Prakash Suryawanshi, Managing Director and India Global Cyber Risk Services Practice Leader at professional services firm Alvarez & Marsal (A&M) explains why cybersecurity due diligence is a critical step for M&A success and  how can firms safeguard and enhance their offerings in a rapidly changing technological environment. Edited excerpts.

What role does cybersecurity diligence play in mergers and acquisitions across various sectors?

Cybersecurity diligence plays a critical role in mergers and acquisitions (M&A) across sectors, with a particularly significant impact on financial, healthcare, technology, and platform-enabled businesses. Its importance stems from the rising prevalence and sophistication of cyber threats due to their larger attack surface and the potential for financial, legal, and reputational damage. Manufacturing, energy, utilities, and automotive sectors are also becoming highly vulnerable due to rapid digitization and technological evolution. As a result, cybersecurity diligence has become indispensable across industries to ensure that technological advancements do not compromise security, safety, or operational resilience. It enables organizations to make informed decisions, accurately value digital assets, and implement effective risk mitigation strategies post-transaction, while also understanding the potential costs involved.

How would you evaluate the cybersecurity risks associated with a company that has recently experienced a phishing attack?

Evaluating cybersecurity risks after a phishing attack involves assessing the attack's modus operandi and impact (generic vs. spear-phishing with advanced malware), identifying control failures (e.g., lack of multi-factor authentication, email security gateways, or misconfigured SPF, DKIM, and DMARC), and evaluating detection and response capabilities. The depth of diligence depends on the attack's sophistication and impact, control failures, and overall security posture. A comprehensive evaluation includes configuration reviews, penetration testing, external attack surface management, incident response preparedness, and security monitoring and simulations to gauge resilience and identify vulnerabilities.

What are the key considerations when negotiating a purchase price in light of potential cybersecurity vulnerabilities?

When negotiating a purchase price considering cybersecurity vulnerabilities, focus on: intellectual property ownership, open source usage, license compliance, and protection from cyber threats. Secondly, regulatory compliance, as significant gaps can lead to fines and business restrictions, thirdly, cyber risk exposure and remediation costs, complexity, and timelines; and finally, contractual liabilities related to past incidents and future risk. These factors enable buyers to accurately assess cyber risk, ensure the deal structure reflects and mitigates these risks, and protect both parties from post-transaction surprises.

How would you develop an integration strategy for a target company for a strategic buyer?

Developing an integration strategy for a target company requires understanding its business, assets, technology, and regulations. The first step is a comprehensive risk and threat assessment across both organisations, including existing controls and compliances to identify key control owners. Simultaneously, review security technologies to find overlaps and consolidation opportunities. Consider architectural enhancements like secure segmentation, Sero Trust, and SASE frameworks. Next, consolidate security tools and centralise authentication to enforce consistent policies (MFA, password standards, and group policies). Review data storage and access management for governance, segregation of duties, and minimal privilege, with all access logged based on data sensitivity. Identify and monitor private data, especially cross-border, for compliance. Finally, collaborate with third-party vendors for risk management and operational efficiency.

In what ways can firms safeguard and enhance their offerings in a rapidly changing technological environment?

To protect and strengthen brands in today's dynamic technological landscape, a proactive, multi-layered cybersecurity strategy is crucial. This includes security operations centres employing SIEM, threat intelligence, user behaviour monitoring, and threat hunting. It also requires responsive measures like incident response and cyber-crisis management tools, playbooks, and simulations for containing attacks. Furthermore, external attack surface management offers real-time visibility into shadow IT, outdated assets, and misconfigurations. Continuous monitoring of the dark web for leaked credentials, sensitive data, and intellectual property, along with brand reputation monitoring for phishing sites, fake apps, logo misuse, and fraudulent social media, is also essential.

How are organisations allocating resources towards cybersecurity solutions?

Organisations are increasingly allocating resources towards cybersecurity solutions by adopting a strategic, risk-based approach. Earlier, resources were largely focused on regulatory compliance, contractual obligations and certification requirements but today, they are tied to risk-based requirements. Broadly, the investment is shifting more from traditional Governance Risk and Compliance (GRC) and security tools to more dynamic capabilities that enable real-time security monitoring, proactive threat hunting and incident response and resilience.

How can a firm address a cyber incident after a deal is closed?

To address a post-deal cyber incident, firms should activate the incident response plan, including containment measures to prevent further data loss or compromise, isolating affected systems, disabling compromised accounts, and deploying forensic tools. Follow communication protocols, informing stakeholders, legal teams, and regulators while adhering to data breach notification laws. Leverage remediation playbooks to contain and eradicate the threat and enable hyper-monitoring. Remediation may include rebuilding systems, resetting credentials, patching, vulnerability assessments, updating indicators of compromise, blocking malicious IPs, enhancing security controls, and strengthening monitoring. Act swiftly, maintain transparency, and demonstrate a strong commitment to security.