As MSP business merger and acquisition activity heats up in 2024, affected companies must ensure that their critical cybersecurity protections are in place and kept up to date. Like any other company, an MSP can get caught up in the complexity of M&A negotiations and inadvertently let their defenses down, leaving them vulnerable to cyberattacks including phishing, DDoS attacks, and more. Guarding against such threats may be even more important when business leaders are busy making M&A deals.
These concerns are particularly relevant today as M&A activity is poised for a rebound in 2024 after a slowdown in 2023, according to research from Morgan Stanley. Morgan Stanley Research said it expects a 50% rise in M&A volumes compared with 2023 as corporate confidence is increasing and concerns about inflation and global recession continue to fall. Morgan Stanley said it sees six market segments where M&A activity will be on the rise in 2024, including technology, banks, energy, healthcare, hotels, and real estate.
Cybersecurity Best Practices During M and A Discussions
Mergers and acquisitions require all organizations to take cautionary steps, but for MSPs they pose even greater risks because their businesses provide trusted services to their customers. MSPs certainly do not want to be vulnerable to cybersecurity attacks that could go on to harm their customers’ businesses as well.
That means that MSPs must be even more vigilant and protective of their cybersecurity processes if they are looking to acquire other MSPs or if they are the target of an M&A by a private equity firm.
Tim Weber, vice president of channel growth at MSSP Cyber74, told ChannelE2E that these are scenarios that MSPs must plan out carefully to protect themselves and their customers.
“Knowing the security posture of an organization that you are acquiring is absolutely critical, but there are limits on what you can do before a deal is actually closed,” said Weber. “What I have typically seen is a questionnaire-based approach. There is also an approach where you take a full-on security risk assessment once a deal is closed.”
From a cybersecurity standpoint, the problem with M&A planning is that at every stage “bringing teams, systems, and practices together creates risks,” said Weber. “The starting point for addressing the risks is to do an assessment and attempt to catalog everything that needs to be addressed.”
This would include how to incorporate or evaluate riskier systems, including older systems or issues with patch management, as well as practices that an incoming MSP follows that are “riskier,” such as remote access methods or how client documentation is stored, he said.
“Looking at and addressing the security of an MSP that is being acquired has never been more important,” said Weber. “The potential risks of a security incident for an MSP are so high and the impacts – operationally, reputationally – could be so severe that the need to review the security during the due diligence process and once the deal has been closed has never been higher.”
So, who is the most important person to speak with inside the targeted-for-acquisition MSP, the people in the trenches? The CIO? The CEO? The CISO?
That depends on what details the leadership team of the company will provide to you, said Weber. There's also an issue of time, though the sooner you get into the details and see where things stand, the better -- even though that is not always possible.
“It really depends on the size of the organization that is being acquired,” said Weber. “A small MSP will have someone who is responsible for security, but not necessarily a CISO. It also depends on the timing of the different asks. You are not going to be able to talk to anyone in the trenches until the deal is not only closed but is announced to the acquired company.”
Cyberattacks Strike During Acquisition Talks
Michael Crean, VP of managed security services at SonicWall, told ChannelE2E that cyberattacks coming during MSP M&A activities is a serious issue that he has seen happen throughout his career. Crean previously founded and led master MSSP Solutions Granted, which was acquired by SonicWall in November 2023.
“There are some stories from the past where acquisitions took place and the acquiring company was not doing all of their financial due diligence,” said Crean. “They were doing the things that made the most sense to them from a dollars-and-cents point of view, but they were not thinking about the other things that could cause them problems.”
So, of course, security lapses occurred, which resulted in costly and destructive damage for the companies and their reputations, he said. To prevent such issues, critical questions must be asked in M&A discussions using a checklist and risk analysis process that can help provide an accurate general assessment for basic cybersecurity hygiene, said Crean.
“Is your patch management up to date, and can you demonstrate it?” asked Crean. “Do you have [multifactor authentication] MFA in place, and can you show me? Do you have somebody that is reviewing logs or do you at least have them stored somewhere? Can you prove to me that you have taken away administrative access from your employees?”
These kinds of questions may seem too obvious and basic, but they must be asked during MSP M&A talks. It's not uncommon for busy MSPs to fall behind on their cybersecurity protections for their own operations, said Crean, even before the hectic M&A discussions start. “They are often bad at doing these things for themselves. And that is a huge risk in this M&A field right now. It is a terrible problem.”
There can be cybersecurity advantages to M&A talks as well, as an MSP or private equity firm acquires an MSP and brings in its own improved cybersecurity practices and standards, said Crean. “Then you can help an organization potentially set a new standard when you are coming in,” improving their overall cybersecurity by default.
One of the big cautions in M&A proceedings is that shortcuts must be avoided after the deal is done and as the companies are coming together, he said. Yes, companies want to recoup their investments, but bringing systems and processes together too quickly and without adequate oversight can cause conditions that are ripe for cybersecurity attacks and problems, he added.
“Some people do not necessarily think about all the risks that are involved in that,” said Crean. “The larger acquisitions should have much deeper review processes because the bigger the dollar value of the deal, the bigger the risk. Smaller acquisitions also can be devastating because a smaller company that gets hit with ransomware or another compromise can suffer a business-ending event. It is hard for small companies to weather the storm.“
Buyer Beware: Understanding the Cyber Risk Profile of the Seller
George Sierchio, an EVP and senior partner with Cogent Growth Partners, LLC which provides M&A advice and help to IT services providers, said these kinds of cybersecurity issues during M&A discussions must be clearly and openly discussed, usually after a letter of intent for an acquisition is filed.
“Diligence from the buyer typically starts with a rep/warrant in the purchase document regarding defining the term ‘breach’ and having the seller say they either have not had any breaches or other cybersecurity issues with clients or describe any that have happened,” said Sierchio. “This could lead to further transaction document adjustments for buyer protection so they know what they are stepping into, or it could cause a buyer to step away from the deal.”
In addition, it is critical for buyers to understand the cyber risk profile of the selling company, he said. “Things such as what it does and does not offer to its clients, whether they do it all in-house or outsource some or all, and the complexity of its customers from a cybersecurity perspective,” said Sierchio. This should include discussions of the hardware, software, and tools that are deployed and managed, as well as how they provide services to customers from their own operations or through partner vendors. They also must ask how the company does internal and customer-aimed cybersecurity training, as well as learning about the control procedures and assessments that are in place to protect operations, he said.
Other discussion areas must include how they help customers with regulatory issues and if they are actually and properly performing those services, as well as talks about cyber-related insurance that they carry and if they have ever had to use it, said Sierchio.
In addition, the more complex the cybersecurity needs of the seller clients, the more likely that a buyer should bring in a third party to assure that the diligence efforts are being followed and implemented, said Sierchio. “Risks can certainly be in the cards when integrating, and if integration is part of the plan after the deal, then it must be planned out well. The entity that was bought should have cybersecurity policies fully aligned with the buyer’s and ensure that these new employees are fully trained in the cybersecurity procedures required by the buyer’s policies.”
