The Top Five Reasons a Security Assessment is Needed for M&A Due Diligence

Consolidation abounds in the RIA world. I hear directly from firms that one of the reasons is the expense and intensity of meeting regulatory requirements; it’s easier to join a large firm that brings oversight and compliance to this critical area than manage it yourself. There are other reasons: Some are ready to retire or don’t have a succession plan, and selling their firm is the best option.

I’ve seen all sides of the advisory profession, having started out as an advisor in an RIA firm years ago with my sister and mother. My mother, Judy Panos, was one of the first female advisors. I quickly learned the technology side of operations and started my firm in 1995 to better serve firms with their cybersecurity and technology needs.

Yearly M&A activity reports from groups like DeVoe’a RIA Deal Books(™), Echelon Partners, Dimensional and Citywire RIA all agree, and validate, that RIA M&A has been on the rise the last eight-plus years, setting another high in 2021. The advisor profession has changed over that time. There are increases in regulatory requirements, regulatory fines, higher cyber insurance rates, lawyer and cyber liability costs along with the costs of a breach.

There’s a lot at stake during those transactions.

Firms making deals become prime targets for bad actors that look for companies buying others since they have the money and deeper pockets. Most industries consolidate in one form or another, but not all have the perfect mix and profile of extensive personal data, regulations around the security of it, and high dollar values at stake like financial services. It’s the perfect profile for cyber criminals.

An M&A risk example

My firm, FCI, had a client that acquired multiple firms in a short range of time. One particular transaction was a partial acquisition of a firm where one principal was selling his share of the business. Early in the process, critical questions were not asked. There’s more to a deal than just a personalities- and business-alignment fit.

The selling firm also had a third-party IT firm that configured its environment. Upon acquisition of half the firm, the IT team unexpectedly denied access to the buying firm. They were not allowed administrative rights to data and controls. As the transition was happening, a breach occurred while access was denied to the buying firm. The environment was ransomed, and the buying company ended up paying out to retrieve files. To make matters worse, firewall logs ran out and cyber insurance was not in place. When the ransom happened, the selling firm contacted the IT team, not security experts. Representing the buyer as their cybersecurity management service provider, we were called in immediately after the breach to evaluate and rectify the situation.

Impact for the buying company

Companies that don’t conduct proper security assessments before buying are at great reputational and financial risk. The timing of the incident above was no accident. The bad actor knew a deal was happening, funds were there, and the timing was right. We went to work gathering evidence and proof to understand if records were exfiltrated. Fortunately for the buyer, there was no exfiltration of data; logs and evidence were captured and collected to prove this to authorities.

Lessons learned

Ironically, around $1 million was paid for the selling firm. If records had been exposed that were ransomed, upwards of $40-50 million would have been paid to comply with regulations. This would have fully depleted the buying company’s offers for acquisitions.

Here are the five key takeaways for buyers and sellers of advisory practices:

1. In the transition of power in a M&A, fully understand breach history within your target company, how breaches have been handled and what actions have been put in place, so it doesn’t happen again. Buyers, by default, take on the reputational risk of the seller in an acquisition.
2. Disposition of IT and security needs to be clear upfront during M&A transitions with access granted to all controls.
3. If you are an acquiring company, create a holding or acquired group where you keep records, files and logs separate from the parent company until full evaluations and security status are up to par.
4. During M&A, buying companies shouldn’t try to fix security issues before acquiring. Since you are aware of the situation, let it determine valuation, then fix the issues if you move forward.
5. Attestations used to be enough when regulations were introduced. Now, firms must be able to demonstrate compliance – in that spirit, explore logs, evidence and more in a security assessment before a deal happens. Furthermore, knowing how to speak to Regulators, the FBI and Insurers, or having a cyber expert represent you, is critical in breach situations.

On the positive side, the reverse is also true. If a seller has a reliable cybersecurity program in place and can document its compliance, this increases the valuation of their company. It works both ways and pays to be proactive on the cyber front. With new regulations and guidelines out from CISA, SEC, FINRA and NYDFS due to heightened geopolitical conditions, companies can’t wait to fully protect their devices, networks and applications along with ongoing user training for greater awareness.

Threats will continue to evolve; we must evolve with them.

Brian Edelman is a nationally recognized cybersecurity expert specializing in the financial services industry. He is the CEO of FCI, a NIST-based managed security service provider (MSSP), which he founded in 1995. FCI offers a comprehensive suite of endpoint and network cybersecurity and compliance solutions customized for financial services firms.