Mitigating cyber risk in Life Sciences M&A
Life sciences is already one of the most at risk industries from cyber-crime. Given that the industry is also one of the most active in M&A - a time of even further heightened cyber risk – it’s crucial that companies place high importance in mitigating this risk.
Life Sciences M&A: A perfect storm for cyber crime
Life sciences is among the most threatened industries that needs to step up to the growing challenge of cyber-crime. This is an industry built on innovation that has all the characteristics to make it highly attractive for cyber attackers: high revenues, extensive spend on R&D and operations, highly sensitive intellectual property, trade secrets, and an almost total reliance on the underpinning technology to run the business. Add to this that life sciences is also one of the most active industries in M&A – a unique time when the most sensitive information assets on both sides of a transaction may be more exposed – and you have the perfect storm for cyber-crime.
Impact of cyber-crime on M&A
There are a number of consequences that cyber and data breaches will have on an organisation, with subsequent implications on M&A and the potential destruction of post-deal benefits. Examples outlined include:
Mitigating cyber risk
While cyber risk can’t be fully eliminated, it can be better understood and managed by taking appropriate actions before and during the M&A lifecycle.
- Before a deal - a seller will typically focus on achieving the best possible price for the business. One course of action to consider would be to assess and, where necessary, improve its security capability. The key is to focus efforts on identifying and protecting the most critical information assets, which can be achieved by embedding good cyber behaviours while improving capabilities to detect and respond to breaches in a way that minimises business impact.
- Due diligence phase – as a seller will be sharing information that underpins the potential value of the transaction, it’s crucial to minimise risk through enhanced data security related governance, procedures, and monitoring so that any potential suspect actions can be spotted and addressed quickly. The buyer is focused on due diligence of the target during this phase, covering a number of areas of the business including commercial, finance, legal, and medical safety. There is a strong argument to add information security to these areas so that potential vulnerabilities can be identified along with an estimate of the likely investment required to remediate any gaps.
- After deal closing - the risks can vary and there are a number of areas that should be considered, including: additional IT security assessments; change management; secured mechanisms for connecting corporate IT networks and for email exchange; and the secure transfer of electronic and physical data.
Given the potential consequences of a cyber breach are so damaging, it would be prudent for senior executives to consider allocating a portion of due diligence budgets to the technology function for the purposes of cyber due diligence. Senior executives should also acknowledge that cyber mitigation is no longer a one-time investment but expect remediation activity in every deal, building this into their valuation models. By taking the appropriate steps and giving this the attention it needs, companies can manage their cyber risk effectively and plan for successful transactions.