Why cyber security is a big concern for M&A activity in the UAE

Here’s how cyber-attack threats on mergers and acquisitions deals can be mitigated



The past 12 months represented a landmark year for mergers in the UAE.

According to Ernst & Young, the UAE, Saudi Arabia and Egypt were the top three markets in terms of M&A activity during the first half of 2016. During this period, consumer products, industrial products, real estate, banking and capital markets witnessed significant deals.

The most recent story has been the merger of Abu Dhabi investment giants Mubadala Development Company and the International Petroleum Investment Company (IPIC), which will create a $135bn entity.

The Mubadala-IPIC merger isn’t the only one that has everyone abuzz. The rumour mill was thrown into overdrive earlier this year upon speculation that a possible merger between the National Bank of Abu Dhabi (NBAD) and First Gulf Bank (FGB) was on the horizon. It turned out to be more than a rumour in July, when both banks confirmed that they were indeed coming together to create a banking behemoth with $175bn in assets and operations in 19 countries.

Putting aside the inherent benefits that such transactions bring, such as cost savings, an expansion of operations and the ability to sustain increasingly ambitious initiatives in the face of a challenging economic climate, a certain question comes up during such processes: that of information security.

M&A activities are market-moving events that often involve a massive expenditure of capital, generate significant amounts of sensitive corporate communications, and are largely conducted in secret to comply with legal requirements. This makes them attractive targets for cyber-criminals and nation-state threat groups.

To obtain such sensitive information, attackers can target the companies directly involved in the M&A activity themselves or other organisations involved in the deal, such as law firms and PR agencies.

Threat actors are driven by various motives related to M&A activity. These include stealing non-public information leading up to the deal’s announcement for future financial gain.

They are also driven by exploiting sensitive financial information generated during the M&A process, as well as taking advantage of the increased attack surface created by companies combining their operations. As two or more companies integrate their IT assets, a group that has compromised one company could potentially use that access to compromise the other. This is what happened in 2015, when Australian telecommunications giant Telstra announced that the networks of a recently acquired subsidiary, Pacnet, were exploited.

There is no doubt that the Middle East has become a hotbed of cyber-attacks in recent years. There are a host of factors behind this, not least the oil wealth that formed the foundation of Gulf Cooperation Council countries’ economies.

Add to this the conflicting political lines which permeate the region, the increasing consolidation of wealth in the GCC and the region being a hub for every sector – from energy to retail, aviation and real estate – and you have an explosive mixture that has made it a very alluring target.

When it comes to the question of cyber-security, organisations in the region have shown a rather cavalier attitude, dominated by a ‘why me?’ mind-set. What they don’t understand is that these brazen assumptions potentially lead to damaging headlines. Cyber-attackers do not discriminate when choosing their targets – they simply point their crosshairs wherever there’s an opportunity.

Real-world developments have now spilled over into cyberspace and – unencumbered by borders, laws or any form of physical resistance – cyber-attackers have free rein and can attack at will. Any time and any place. They range from simple ‘lone wolves’ to highly organised groups, either operating independently or affiliated with rival nation-states.

For malicious parties, hacking is a high-incentive, low-cost and low-risk method for inflicting a considerable amount of damage. For organisations the size of NBAD or Mubadala Development Company, one can only imagine the consequences of a breach.

Business leaders responsible for M&A business strategies should be aware that a data breach could negate the business strategy of an acquisition due to the high cost of fixing weaknesses or conducting incident response. Technological risks should be evaluated and incorporated into the overall business risk strategy before an M&A transaction is completed. In addition, companies engaged in M&A should ensure that an examination of cyber-security is included as a key component of the due diligence process.

Due diligence involves an examination of the company’s security capabilities, including data safeguards, access controls, threat detection, incident response and infrastructure security controls, the threat landscape of the organisation, any records of past attacks and any underground actors known to be particularly interested in targeting the company.

Allowing sufficient time to perform an actual compromise assessment on the seller’s infrastructure will provide the optimal visibility into the security posture of the acquisition.

When sufficient time is provided and cyber due diligence is conducted, senior executives at the acquiring organisation will understand the business threats and technology risk posed by the acquisition target, enabling them to incorporate this information into the overall picture for informed decision-making towards enterprise risk.

Of course, M&As can vary widely in terms of ramp-up time. Some allow for a very short due diligence effort, while longer deals can afford months to assess risk. Done properly, the information can provide insight into the overall security posture of the seller and possible intruders already in place. With this kind of analysis, the buyer can act knowledgably and prevent major missteps.

With additional time, a more detailed form of cyber-security due diligence is possible. In addition to a risk assessment conducted by cyber-security analysts, software agents can be deployed in the seller’s network to report on the state of the endpoints.

A fairly common follow-on activity, particularly with mergers, is the integration of the two companies’ IT infrastructure.

Some questions to answer during this period of transition are: what can be trusted? Is it safe for the buyer to connect to certain acquired systems? Can two-way trust relationships be established? Addressing these issues depends on assessing the security of both the overall environment and specific systems. Only with due diligence can risk be incorporated in planning, with various planned costs and benefits. Without due diligence, there are only unforeseen costs and reputational effects.

Acquiring companies must now catch up to the reality of the costs and risks that cyber-security issues create, and the benefits that cyber-security due diligence can bring.

All that remains to be seen is whether they choose to pre-empt the actions of malicious players and take the necessary steps to ensure the transition period during an M&A process is as smooth as possible, or take a backseat at their own peril.

Mohammed Abukhater is regional director for the Middle East and North Africa at FireEye