Half of IT decision makers (53%) found critical cybersecurity issues that put mergers or acquisition deals in jeopardy during their initial assessments, according to Forescout Technologies' survey of 2,700 executives.
- Undisclosed data breaches represent an immediate deal-breaker for their company's M&A strategy, said 73% of surveyed decision makers.
Acquiring a company, only to find critical cybersecurity issues down the line, made 65% of decision-makers feel buyer's remorse once the deal closed.
In the context of heightened cross-industry concern over data breaches, decision makers are looking more closely at M&A deals and the cyber risks they entail.
Marriott's massive data breach serves as a cautionary tale for the cyber risk of M&A. At the end of last year the hotel chain disclosed intruders had accessed data on 500 million customers via the Starwood reservation database, which was compromised since 2014.
Marriott acquired Starwood two years after the chain's systems were accessed without authorization.
"Acquiring a company without proper cybersecurity due diligence is like buying a used car and taking the seller’s word it is in good condition," said Joe Cardamone, senior information security analyst and North America privacy officer at Haworth.
Companies should look to verify the hygiene of all IT assets as it evaluates an acquisition, Cardamone said.
At credit ratings agency Equifax, aggressive acquisition activity contributed to its lack of oversight, ultimately resulting in the breach of data on 145 million people.
Cybersecurity weak spots include the acquired company's network of third-party vendors, which malicious actors can target for data and access if the correct protections aren't in place.