Forescout Study Reveals More Focus on Cybersecurity Required During M&A Activity

Forescout Study Reveals More Focus on Cybersecurity Required During M&A Activity
Forescout Study Reveals More Focus on Cybersecurity Required During M&A Activity

As many as 50 per cent of organisations in Singapore have encountered a critical cybersecurity issue or incident during a mergers and acquisitions (M&A) deal that put the deal in jeopardy. This is according to a new international study, The Role of Cybersecurity in M&A Diligence commissioned by Forescout Technologies, Inc., the leader in device visibility and control.

The M&A cybersecurity risk study surveyed more than 2,700 IT and business decision makers across the United States, France, United Kingdom, Germany, Australia, Singapore and India to examine the growing concern of cyber risks and the importance of cyber assessment during M&As and the subsequent integration process. 

The research revealed more focus on cybersecurity risk during M&A is needed. According to the survey, cybersecurity is now a top priority with 85% of Singaporean ITDMs and BDMs putting more of a focus on a target’s cybersecurity posture than in the past. This comes as no surprise, as cybersecurity concerns discovered after consummation of the deal often present costly risks that would have been factored into the deal negotiations and/or may have led to the dissolution of the deal. After closing the acquisition, 65% of respondents have experienced regrets in making the deal due to cybersecurity concerns.

“Traditionally, when acquiring a company, M&A due diligence has been focused on aspects such as Finance, Legal, Business, Operations, Human Resources and IT, among others. However, in light of recent breaches, it is clear that organisations considering an acquisition could benefit from a greater, dedicated cyber evaluation,” said Wahab Yusoff, Vice President, Asia at Forescout.

“The IT and cyber landscape have changed dramatically in recent decades, with connectivity becoming increasingly prevalent. All of these factors have greatly complicated the evaluation and decision-making process and has made it a requirement to have new and innovative approaches to manage cyber risks. Cybersecurity assessments to have full visibility into all connected devices are therefore a key requisite not only prior to the acquisition but continually throughout the integration process as well.”

The survey highlights the following findings:

  • Proper cybersecurity evaluation takes time, but acquisitions often run on the fast track. Many deals face a race to get across the finish line. Only 34% of respondents in Singapore strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
  • Connected devices and a human error put organisations at risk. When asked what makes organisations most at risk during the IT process, Singaporean respondents identified human error and configuration weakness (63%) and connected devices (59%). Devices often get overlooked and missed during integration as over half (57%) of ITDMs say they find unaccounted devices, including IoT and OT devices, after completing the integration of a new acquisition.
  • Prevalence of cybersecurity issues. Half (50%) of survey respondents report their organisation has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy. Further demonstrating the potential consequence of a security incident, undisclosed data breaches have become a deal breaker for most companies. 78% of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.
  • Internal IT teams may lack the skills to conduct cybersecurity assessments. Among Singaporean ITDMs, only 31% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to lack of resources, organisations must allocate outside resources to their cybersecurity assessments and/or may not be able to complete a robust assessment.