By Snehal Antani
The word “risk” is virtually synonymous with M&A — but some risks in the process don’t come with a reward. Security gaps stemming from various causes, from misconfigurations to weak credentials, can sabotage the success of an M&A endeavor before integration even begins.
Unfortunately, cybersecurity risk is something of an afterthought during the M&A process. Leaders are homed in on financial concerns, shifting business goals and managing change with employees, so IT falls by the wayside. However, neglecting to identify security weaknesses can cause enough damage to undercut the process entirely.
It’s a critical reminder when the appetite for M&A is up across the global market: According to research from PwC, 81% of executives who have made an acquisition in the past three years hope to make one or more in the next three, and firms including Bain & Co. are declaring 2025 the year of the “rebound” for M&A dealmaking. But where business leaders see an invigorated market, bad actors see new opportunities to attack.
As M&A activity expands, organizations must recognize and address the security gaps associated with the process through intensive IT systems auditing and quick remediation.
An unsteady battleground
Organizations are most vulnerable to attack during a period of change. During a merger or acquisition, long-held business practices and protocols may be upended. Changes in staff duties — IT-related or otherwise — may lead to knowledge gaps, allowing hackers to exploit employees through phishing or social engineering tactics. Add an influx of sensitive data, such as new employees’ personal information, and there are even more opportunities for attackers to compromise the business.
Depending on the complexity of the M&A deal, integration can take up to three years — that’s a long runway for potential problems. This is why it’s important to properly assess risk during the due diligence phase, while processes are still malleable.
My company, Horizon3.ai, recently conducted an audit on behalf of an American multinational manufacturer during an M&A process, wherein we found nearly 2,000 security weaknesses at its target organization’s network infrastructures.
Were these weaknesses to be exploited, it would lead to at least 139 critical impacts, including host compromises and sensitive data exposure — potentially jeopardizing the entire transaction. With this much at stake, cyber risk assessment must be a non-negotiable part of any M&A playbook.
Conducting a thorough cybersecurity audit
A full-scale cybersecurity audit has benefits for both parties in an M&A deal. As we found in our case study, the acquiring organization gained valuable insights into the acquired company’s risk situation and potential business impacts. Meanwhile, the acquisition target was able to eliminate weaknesses and improve its overall security posture.
Here is a four-step guide to conducting an airtight cybersecurity audit of an M&A target:
- Calculate all reachable assets at a target organization. This includes network credentials, protected data and hosts, among other critical data and systems.
- Conduct a baseline penetration test to identify vulnerabilities and potential attack paths a hacker could use to compromise critical systems.
- Verify the results. False positives are costly. False negatives are disastrous. Retesting should be part of any cybersecurity audit to ensure the accuracy of the results and an efficient remediation plan.
- Fix the most critical weaknesses first. Remediation should happen in strategic phases, prioritizing the most potentially destructive weaknesses first. This way, resources aren’t wasted on untargeted “cover your bases” measures, and vital assets are protected.
Lessons learned
In an M&A deal, a company’s security posture is just as important as its financials and market value. Leaders need full visibility into the attack paths, proofs and impacts of every potential vulnerability. Fortunately, today’s technology allows organizations to conduct these risk assessments promptly and easily — often without the need for costly outside consultants.
Cybersecurity risk management must be proactive, not reactive. Prioritizing real-time monitoring and proof-based remediation during the due diligence phase will lay the foundation for good cybersecurity hygiene once the merging organizations have fully integrated.
Snehal Antani is CEO and co-founder of Horizon3.ai, a cybersecurity company that pioneered the use of AI to autonomously conduct penetration testing. Prior to Horizon3, Antani served as the first chief technology officer for Joint Special Operations Command. Prior to serving within US Special Operations, he was CTO and SVP at Splunk, held multiple CIO roles at GE Capital, and started his career as a software engineer at IBM.
Illustration: Dom Guzman
Stay up to date with recent funding rounds, acquisitions, and more with the
Crunchbase Daily.
