Skip to content
City PM
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
  • Germany
  • France
  • Europe
  • Markets
  • Business
  • Opinion
  • DE
Thursday 12 May 2016 11:02 pm

Why M&A activity leaves companies vulnerable to cyber criminals

By: William Turvill

Add as a preferred source on Google

Global merger and acquisitions (M&A) activity reached record-breaking deal values in 2015 at over $5 trillion. Whilst these vast sums excite shareholders, they also attract cyber criminals who sense an opportunity via inherent weaknesses in the M&A process.

In much the same way that insider trading can (if undetected) yield huge returns for the perpetrator, cyber criminals can similarly capitalise by gaining access to sensitive market information.

And firms going through M&A are arguably at their weakest from a security perspective with disruption to their ‘business as usual’ processes.

Read more: UK execs are worried about the economy – but want to do lots of M&A deals

Cyber criminals thrive on this disruption and there are anecdotal cases where the M&A process is thought to have been targeted.

In December 2015, the FBI warned that a criminal group ‘FIN4’ was seeking to facilitate securities fraud. A few months before that FIN4 was implicated in the attempted infiltration of 100 publicly traded companies or advisory firms that provide M&A services such as investor relations, legal counsel and investment banking.

Also in 2015, the Marriott Corporation announced on that it was to acquire the Starwood Hotels Group. Just four days later, Starwood released a statement that it had been the victim of malware breach. Third-party assessment of this acquisition questioned whether the Marriott Corporation had sufficiently probed the M&A process as a potential threat risk.

Read more: Why Brexit vote should not be used as scapegoat for falling M&A activity

Why are firms at particular risk during the M&A process?

Put simply, the M&A process is a perfect storm of high potential reward for criminals combined with more opportunities for them to exploit it.

Both the potential buyer and the seller are potential targets – in effect doubling the potential weak links in the chain.

Companies that (rightly) normally keep their most confidential information to a handful of trusted confidents suddenly find it needs to be shared with a host of lawyers, consultants and other third parties as part of due diligence – increasing the risk of it ending up in the wrong hands.

The insider risk is heightened too with employees that could be subject to undesirable change potentially liable to become disenfranchised and open to criminal overtures.

Read more: TalkTalk profits show fallout from last year's cyber attack

So what can firms do about this?

It’s critical that the parties involved look at themselves through the eyes of an attacker and seek to understand the threats that tend to occur at the various stages of the M&A process.

Security must be a forethought, not an afterthought. Throughout the discussions, and before plugging in the network cable or allowing the two networks to connect, organisations must be sure to understand what’s on the other side, and what risks they could present.

Share this article

  • Facebook
  • X
  • LinkedIn
  • WhatsApp
  • Email

Similarly tagged content:

Sections

  • News

Categories

  • Business

Related Topics

  • M&A

Trending Articles

  • Citroën 2CV returns as a £13,000 electric car, and the timing is no accident

  • The former African gold miner taking on the billionaire Issa brothers

  • Music tycoon Simon Cowell sued by prominent City lawyer

  • Exclusive: Big Four giant KPMG to cut more jobs

  • I was on the Goodyear blimp above London – here’s what it was like

More from City PM

  • Professional services firms the ‘flavour of the month’ for cyberattacks

    Prof Services
    The ICO said it initially planned to fine Capita a total of £45m, but this was later reduced by “mitigating factors”
  • M&S to face shareholder grilling over cyber attack recovery

    Retail
    Marks and Spencer was one of three UK retailers to be targeted
  • Government aid ‘worth £28bn’ handed to terrorists, criminals and hostile states

    Politics
    Whitehall and Westminster
  • Fraud losses surge as scammers use AI to manipulate victims

    Personal Finance
    Executives argue the measures threaten firms’ business models, particularly smaller fintechs more relatively exposed to fraud and with less capital to cover mandatory reimbursement. (Photo by Artur Widak/NurPhoto via Getty Images)
  • M&S chair: Tax and employment costs holding back Britain

    Retail
    Archie Norman, business leader, speaking at a corporate event wearing a suit and tie, engaging with the audience.
  • The Debate: Should CEOs be held personally accountable for cyberattacks?

    Opinion
    Evil-looking keyboard symbolizing cybersecurity threats and hacking risks in a digital landscape.
  • Gambit Cyber Launches Vizier AI – An Autonomous Security Intelligence Workspace for Continuous Exposure Management

    Business Wire
  • ‘Act now’: AI models capable of attacks on governments months away, Five Eyes warn

    Tech
    GettyImages 158774123 showcases a relevant business meeting scene, highlighting diverse professionals engaged in discussion.

City PM — European politics, business and analysis.

Europe

  • Germany
  • France
  • Europe
  • UK & Ireland

Topics

  • Business
  • Markets
  • AI
  • Technology
  • Opinion
  • Energy

More

  • Politics
  • Economics
  • Fintech
  • Legal
  • Sport
  • Life

Company

  • About City PM
  • Editorial Policy
  • Corrections
  • Contact
  • Terms of Use
  • Privacy Policy
  • Cookie Policy
© 2026 City PM · Published by CityPM Media, Bahnhofstrasse 65, 8001 Zürich, Switzerland
About · Editorial Policy · Corrections · Contact · Privacy · Facebook