Managing M&A cyber-security risks

In today’s business landscape, acquisitions are an integral part of growth and expansion but come with significant risks, particularly when integrating new personnel and information resources into an existing ecosystem. One of the primary risks lies in the potential security vulnerabilities within the acquired organisation.

Unfortunately, in the rush to finalise acquisitions with minimal disruption, organisations often overlook security, leading to major breaches. For instance, after Marriott International acquired Starwood Hotels in 2016, a 2018 data breach exposed the personal information of approximately 500 million guests. Attackers had been in Starwood’s system since 2014, well before the acquisition.

Similarly, in May 2024, Dropbox experienced a significant breach affecting its e-signature service, Dropbox Sign (formerly HelloSign), acquired in 2019. Hackers accessed customer information, including emails, usernames, phone numbers, and hashed passwords, as well as API keys and OAuth tokens.

These breaches highlight the need for rigorous cyber-security assessments and the integration of security measures into the M&A process to ensure a safe and seamless transition. This approach not only protects assets, and maintains stakeholder confidence, but also ensures the long-term success of the acquisition.

Continue reading at www.teiss.co.uk...