The Scourge of Ransomware in Mergers and Acquisitions

Introduction

At an accelerating pace, large mergers and acquisitions (M&A) are falling victim to significant cyber attacks. Specifically, ransomware constitutes perhaps the most disruptive, costly, and damaging threats to current M&A transactions. Ransomware attacks can compromise sensitive data, disrupt business operations, and lead to significant financial losses. This overview discusses trending ransomware threats and recommends mitigation approaches organizations can employ to defend their deals. 

Ransomware: A Continuously Growing Threat

M&A deals are an obvious prime target for ransomware attacks. These attacks generate not only public embarrassment, but they also cause concrete damage to company data and customer relationships. They are also expensive. In 2022, the average cost to mitigate an attack was $1.4 million, and the time to recover averaged at least one month.

Increasing Regularity

In its 2022 “State of Ransomware” report, Sofos Ltd revealed a 78% increase in attacks, from 37% to 66% of US organizations. It comes as no surprise that Nasdaq declared that ransomware was the greatest threat to business in 2022. There are no signs the threat is slowing down.

How a Ransomware Attack Works

Simply stated, ransomware is malicious software (malware). Ransomware code blocks access to company information technology (IT) systems or data. Attackers encrypt the data or programs and extort companies by demanding a payment in exchange for decrypting the data. In some cases, the attackers threaten to disclose sensitive customer data or company proprietary information. Attackers often want to be paid in crypto currency, and upon payment the company receives a key to unlock their data and restore access to IT systems. 

These attacks pose particularly enormous challenges to M&A deals that require speed, sharing sensitive due diligence information, and confidence from all parties.

Risks and Damage from Ransomware Attacks

Ransomware attacks can have a range of negative impacts on a company's reputation and operations, as well as create significant financial losses. Here are some of the potential risks:

Financial Losses

Ransomware attacks can result in significant financial losses including the cost of ransom payments, data recovery, system restoration, and lost productivity. These costs can add up quickly and create a substantial burden for the organization.

Business Disruption

Ransomware attacks can disrupt business operations, causing delays, downtime, and lost productivity. This can lead to missed deadlines and apoplectic customers.

Damage to Reputation

Ransomware attacks often damage a company's reputation. Customers are likely to lose trust in the organization's ability to protect their personal or financial data. This loss of trust can be difficult to recover from and may have long-lasting effects on the company's brand and reputation.

Legal and Regulatory Penalties

Depending on the industry and jurisdiction, companies may be subject to legal and regulatory penalties for failing to protect sensitive data. This can result in fines, lawsuits, and other legal liabilities. 

Additionally, companies may face penalties from United States (US) regulators when they pay ransoms to unsavory entities. In 2020, the US Department of the Treasury published a Ransomware Advisory that warned companies about making payments to entities in sanctioned nations (like Russia, Cuba, Iran, North Korea, and Syria). A violation of US sanctions is subject to strict liability, so even if you were unaware that the attacker was based in a sanctioned state, civil liability penalties may apply. 

Data Loss and Theft

Ransomware attacks can result in the loss or theft of sensitive data, which can have serious implications for the company and its customers. This can include theft of intellectual property, financial data, personal information, and other sensitive information.

Damage to Partnerships and M&A Deals

Ransomware attacks can damage existing partnerships and jeopardize M&A deals if the potential partner or acquirer perceives the target company as having poor cybersecurity hygiene or high risk.

Recommended Best Practices for Safeguarding M&A Deals

Protecting M&A deals from ransomware attacks requires a multi-faceted approach. Here are some of the key steps that organizations should take to protect their deals from cyber attacks:

Conduct Cyber Due Diligence

As part of the M&A process, companies should conduct a thorough due diligence review of the target company's cybersecurity practices and risks. This review should include an assessment of the target company's information security policies, procedures, and controls, as well as any past security incidents or breaches.

Implement Cybersecurity Controls

Companies should implement robust cybersecurity controls to protect their own systems and data, as well as those of the target company. This may include implementing firewalls, antivirus software, intrusion detection systems, and other security technologies. Most importantly, backup your data! The number one method to restore lost data in a ransomware attack is to retrieve it from backups. Of companies that ultimately pay ransoms, less than 5% recover all the data.

Develop and Practice a Ransomware Incident Response Plan (IRP)

Companies should produce playbooks for responding to ransomware attacks. Every level of the organization should know their roles and responsibilities when an attack occurs. As such, these play books should be rehearsed regularly.

Secure Data Exchange

During the M&A process, companies will exchange sensitive data. It is important to ensure that these data are exchanged securely, using encryption or other secure transmission methods, to prevent data theft or loss. Secure data rooms, both virtual and physical, can enable parties to monitor and document who, when, and how deal data is reviewed and shared. 

Establish Secure Communication Channels

Companies should establish secure communication channels between all parties involved in the M&A deal. This may include using encrypted email or secure messaging platforms to prevent interception or eavesdropping.

Invest in Employee Training

Human error is often the leading cause of cybersecurity incidents, so companies should invest in employee training and awareness programs to educate staff on best practices for information security.

Consider Cyber Insurance

Cyber insurance can help to mitigate the financial impact of a cyber attack, so companies should consider purchasing a cyber insurance policy as part of their overall risk management strategy. 

An important side note regarding cyber insurance: it is good to have, but it is not a silver bullet. Under pressure to close a deal in a timely fashion, an insurer may advise you to pay the ransom rather than file a claim. In fact, victims paid the ransom in nearly half of all ransomware attacks in 2022. 

Some insurers are even leaving the market (for the time being), and Reuters reports that many providers are increasing premiums and limiting coverage. Filing a claim may also consume significant time. The steps include notification, assessment, coverage analysis, recovery, and follow-up. These factors require your full consideration.

Conclusion

In summary, protecting M&A deals from ransomware attacks requires a proactive and multi-faceted approach that involves conducting sound cyber due diligence, implementing robust cybersecurity controls and response plans, securing data exchange and communication channels, investing in employee training, and considering cyber insurance. By following these best practices, organizations can reduce their risk of cyber attacks, respond adequately when ransomware attacks occur (expect that they will), and salvage their M&A deals while minimizing losses. 

If your organization does not yet have a mature data governance, risk, and compliance (GRC) program, or any cybersecurity strategy, 1 Global Data Protection Advisors (1GDPA) can help. Reach out for a free consultation at any time.