-
Failure to review vendor contracts when acquiring another bank can lead to extra costs and prolonged conversions.
August 26 -
Data breaches aren't going away, as Bank of America and Citigroup can attest. A group of institutional, tech and research experts offer 10 steps banks can take now to mitigate the risk.
September 1 -
Customer credit card data was not endangered during last week's security breach of a small portion of websites hosted by GoDaddy.com Inc., a company executive says.
September 27 -
Enterprise data systems are proving to be porous, as a number of breaches over the past few months have affected not only large banks, but major organizations outside of financial services as well.
September 1 -
Despite an increase in the number of cyber attacks, losses to financial institutions and their customers have fallen over the last 18 months.
September 14 -
The Payment Card Industry Security Standards Council has issued guidelines to clear up confusion around tokenization, a process for obscuring sensitive payment card data.
August 12
As if negotiators of bank mergers and acquisitions needed another worry, they now have hacker attacks — before, during or after the transaction — to contend with.
Dealmaking can serve as a flare that attracts cyber criminals, as information moves freely both before and after acquisitions and information technology integration can create soft spots that are easily exposed by hackers.
The growing power of the hacker community was on full display this spring, when the hacker collective Anonymous published internal emails stolen from the servers of HBGary, a specialist in cyber security. Though the HBGary attack itself was not precipitated by M&A, dealmakers should have taken note of the company's published correspondence with Goldman Sachs that broached the possibility of a deal.
"It's mind-boggling to me when we see M&A activity and no one scrutinizes these sorts of things," said Chris Novak, a managing principal on the investigative response team at Verizon Business. Novak added that he rarely sees "elements of data breaching reviewed as part of the deal process."
Of course, a deal is just one of many scenarios in which a breach can occur. And in the midst of negotiations or at a time when executives are consumed with integration, IT security can easily be overlooked as a priority among executives. Hackers, though, seem to recognize the opportunity deals provide.
According to Verizon's 2011 Business Breach Report, there were 761 documented data breach incidents last year. Roughly one in every five involved a company that was engaged in a merger or acquisition.
These breaches can occur from as early on as the due diligence phase, when sellers first begin sharing information, to as late as months after the deal, when merging companies absorb and combine their IT infrastructure.
Also divulged as part of "Operation Aurora"—the cyber-attack that exposed HBGary—was a client list that included the likes of Morgan Stanley. The attack sent shockwaves throughout Wall Street, as the breach revealed that many of the assaults are emanating from servers in China, shattering the caricature of the bored video game hobbyist as the primary threat. Moreover, the victims, be it major investment banks or Fortune 500 companies, suggest a more strategic aim than hackers just looking to amass customer credit card information.
"One of the major banks could get 2,000 attempts a day," said former FBI agent Ken Springer, president of Corporate Resolutions, a New York background investigations firm.
Capital One Financial Corp., Citigroup Inc., JPMorgan Chase & Co. and U.S. Bancorp are just some of the financial institutions that have faced cyber-attacks this year.
Springer adds that among those attacks involving merging companies, he detects a bias for cross-border acquisitions, as foreign targets are generally more exposed.
"They don't have the same controls in place," Springer noted, pointing out that companies in Eastern Europe, in particular, have historically faced a greater threat.
Meanwhile, the growing proficiency of the hacker universe has helped create more demand for companies like Roswell, Ga.-based Aldose and Alexandria, Va.-based Mendicant Corp.
"Attacks are on the rise, and hackers seem to have the upper hand in many cases," said Aldose vice president Nimrod Rauschenberg, from his office in Israel.
Aldose, which provides network security management and firewall solutions to merging entities, finds it especially challenging when hackers hop onto the network of a secure company thanks to the weaker security system of its target.
"A merger is a time when you attach these networks together to prevent the bad guys from coming in," he said. "But we certainly haven't become safer. All the recent breaches are a testament to that."
As most bankers are probably aware, a potential breach could also threaten the acquisition process, hurting valuation or even serving to undo a potential deal altogether.
Mendicant vice president Steve Surd recalls a recent deal involving a U.S.-based defense company. The hackers, Surd said, were drawn to the target's intellectual property. When the breach occurred, it served to freeze negotiations.
The questions facing the seller, he said, were: "[Should they] keep it quiet and under the radar; or should they tell the potential acquirers what was going on, which would affect the valuation?"
Surd wouldn't disclose any details about the parties involved, but he says he had the job of informing the potential bidders about the nature of the attack.
Though the threat of a security breach is a risk nearly all companies face, the prevalence of cases involving companies engaged in M&A should motivate dealmakers to at least appreciate the hazards. Too often, Novak says, he will encounter a party involved in a deal who doesn't.
And if an attack occurs, his advice is for the companies to dig in and prepare for more, because it's usually the case that "history repeats itself."
