Organizations often pursue mergers and acquisitions (M&A) to develop strategic business and competitive advantages by adding experienced personnel, unique technology or differentiated intellectual property. Such activity, however, can give rise to a common cybersecurity challenge. By integrating new IT assets directly into their core network, an acquiring company often ends up unintentionally expanding their attack surfaces and weakening their overall security posture.

The Wall Street Journal reported that 67 percent of attempted acquisition deals failed last year. Out of those, 39 percent cited "concerns about cybersecurity" as the key reason.

It's now essential for acquisitive companies to fully understand and minimize the cyber risk posed by expanding attack surfaces through technology acquisition or merger, both during due diligence and during the integration process of every M&A deal.

Concur the challenge

M&A activity can surface many types of challenging risks for an organization during its transformation. One of the bigger ones can arise from the inability to effectively manage the integration of cybersecurity practices. Acquiring a company with poor security hygiene can lead to increased and unforeseen costs, or even worse.

Marriot's acquisition of Starwood brand hotels in 2017 is a prime example of how critical risk has become in M&A deals. In late 2018, Marriott shares fell 5.6% percent in one day — a billion dollar drop in market cap — after it was revealed that Starwood had suffered a data breach affecting 500 million guests. The breach dated back to 2014, two years before Marriott's acquisition. The market's reaction reflected both the hit to Marriott's brand reputation as well as the unanticipated costs associated with remediation and response.

During typical M&A talks, countless questions need to be considered to ensure a smooth integration. Cybersecurity is no exception. The security posture of a potential acquisition must be thoroughly evaluated during M&A due diligence. Failure to do so can cause major business problems and put customers, employees and partners at risk.

Cybersecurity's role in M&A due diligence 

Historically, cybersecurity posture has been overlooked during M&A due diligence. It's only considered after a deal closes as part of the overall IT integration effort. Today, though, it's critical for companies to add cyber assessment to their pre-acquisition and integration checklists — before the physical merger of networks.

One critical aspect of cyber due diligence involves ensuring the target company's intellectual property and "secret-sauce" have not been compromised or copied by a potential competitor or nation state. 

Organizations first need to evaluate whether a threat-actor is embedded in the target's network without causing major impact on both sides. Only then can you continue due diligence by performing a combination of assessments to understand the security posture of the entities in question.

Security leaders need to consider security risks that could impact the merger and communicate their plans to address those issues to the board of directors and executives of both companies.

Why assessment is needed pre- and post-acquisition

An organization will often request previous vulnerability assessments or penetration tests during due diligence. But according to Gartner, the acquirer can expect such requests to be rejected most of the time, especially in cases of a proposed merger. Therefore, it's imperative for such organizations to perform additional cyber posture assessments that detail the full threat landscape and offer real and concrete recommendations when issues are found.

There are many tools and activities that can help companies gain a cursory glance at the security hygiene of M&A targets. The longer it takes for an acquiring company to discover a major issue, the more costly it will likely be to remediate.

At a minimum, an acquirer's security ops team will need:

  • Beyond a point-in-time vulnerability assessment or a penetration test. If the pen test is successful, security and risk teams should ask, "Who else was able to get into the network?"
  • A comprehensive understanding of the security state of the assets being acquired and merged into their network.
  • To understand the breadth and scope of the cybersecurity function.
  • To evaluate the external posture of the entity in question to better understand the risk landscape they'll inherit.

There is a cultural belief that risk and security are technical problems to be handled by people buried in IT. This mentality is dangerous, and one that unfortunately extends to general business practices like M&A.

Possible impact

For obvious reasons, the goal is to uncover a breach before M&A activity is finalized. Let's consider two examples of what happens when this process is followed and when it isn't:

  • Good: After two massive data breaches were disclosed during due diligence, Yahoo! and Verizon confirmed new terms for the sale of Yahoo!. By taking the cyber risk seriously, Verizon will pay $350 million less than originally planned, working out to a price of $4.48 billion.
  • Bad: Telstra Corp. admitted to being informed of a massive data breach of Pacnet's corporate IT network only after finalizing the $697 million acquisition in April 2015. A month later, Telstra started informing customers that a SQL injection on a web application server had allowed access to Pacnet's network, email and administrative systems. The impact of the data breach is still undetermined as of this time.

WWT Cyber Posture Assessment for M&A

WWT's Cyber Posture Assessment, powered by Cybereason, offers organizations the capability to gain an in-depth understanding of a potential acquisition target's current security posture and where they may be falling short. This assessment is crucial to understanding weaknesses in a target's security environment before it's too late. It will also help you understand how vulnerabilities can be addressed in a proactive fashion.

WWT and Cybereason have formed a partnership to drive our customers' desired business outcomes through holistic, long-term security solution development that can systematically mature your security posture, architecture and IT hygiene.

Assessment Benefits

Silent deployment

Our Cyber Posture Assessment leverages the Cybereason Services and Cybereason Defense Platform to easily deploy sensors within the M&A target company during due diligence to (a) quickly understand the security posture of the company's environment, (b) identify previous and current attacks and (c) remediate discovered incidents directly from the Cybereason console.

Leverage Cybereason's user-mode sensors for a smooth, worry-free and fast deployment to targeted endpoints across the enterprise — from workstations to laptops used by sensitive business units and individuals (e.g., executives, developers, privileged users and admins, internet facing web servers and more).

Light collection

Cybereason's featherweight sensors enable the efficient collection of real-time telemetry, volatile memory and forensic artifacts across all operating systems (Windows, MacOS, Linux).

Threat hunting

Our assessment employs a proven methodology designed to detect advanced persistent threats and targeted adversaries across the MITRE ATT&CK framework, which spans the full attack lifecycle. Detection and hunting techniques include behavioral analysis, TTP-focused hunting hypothesis, anomaly outlier detection and file-less malware investigation, all ingested with proprietary and advanced attacker-focused threat intelligence.

Analysis and discovery

Cybereason incident responders initiate analysis on data collected and threat hunting findings, at scale, for undetected malicious activity, suspicious network connections, malicious processes and services, suspicious artifacts, compromised user accounts and more.


Our detailed and complete technical report of all findings and recommendations will arm you with actionable intelligence for critical remediation next steps. It also includes a complete M&A cybersecurity compromise profile of the target company.

Enhanced decision making

WWT's Cyber Posture Assessment empowers your security leaders and operation teams to participate in and collaborate on security risks found during M&A due diligence and pre-deal sign-off. It also enables you to correlate newly acquired assets post-M&A with existing business to create a holistic view of security risk across the entire enterprise.

Cybereason is a complete endpoint protection platform that includes endpoint detection and response (EDR) plus next-generation antivirus technology in one lightweight sensor. In other words, it offers a complete solution for your M&A needs.

Explore WWT's Cybereason Sandbox in our Advanced Technology Center today to learn more.

Take action

Need to develop an M&A cybersecurity strategy but unsure where to start? Add WWT's Cyber Posture Assessment to your pre- and post-M&A checklists to ensure your overall security posture is being maintained and continuously strengthened. This is an easy first step toward mitigating potential integration risks that can arise during M&A activity.

For more resources from WWT: