A WSJ report outlined how increased cyber risks amid COVID‑19 are posing increased challenges for M&A transactions globally.
Heightened concerns about the increased cyber risks faced by acquiring companies and the subsequent merged entities in M&A transactions are a reflection of the increased IT risks catalyzed by COVID‑19. Risks have increased exponentially for many companies, not just because of the sudden transition to remote work but also because of the accelerated migration to the cloud and roll-out of new digital services that all rapidly increase the complexity of a corporate network. This extends beyond the company in question to also include the changes in the IT environments of partners and suppliers. The challenges have been particularly acute for companies (1-Star in Cyber Governance Indices) that were poorly managing their technology prior to COVID‑19.
But the materiality of cyber risks in the M&A context is not a new development. Cyberhedge models have long identified that the cyber governance performance (how well or poorly a company manages its combined financials and technology) of an acquiring company declines post-acquisition. Examples like Marriott and its 2018 breach that stemmed from the Starwood acquisition and the United Technologies—Raytheon merger are examples of the financial risks that result from cyber and M&A.
In the case of the UTC RTN merger, in terms of cyber governance, not only did UTC and RTN both underperform on important metrics, but, in addition, many of UTC’s main supply chain partners are poor performers on cyber as well.
COVID‑19 intensifies the already existent cyber risks within an M&A context involving companies with poor cyber governance, and emphasizes the need for increased top-level focus on security from the board and C-suite, not just in the context of ‘deal due diligence’ but more broadly, and on an ongoing basis.