In response to growing cybersecurity challenges, the European Union (EU) is in the process of revitalizing its current cybersecurity directive, NIS (Network and Information Security), which was the first piece of legislation to dictate a common level of cybersecurity across the European Union. The updated directive is commonly known as NIS 2 and member states need to transpose its new framework into national law by October 17, 2024.
NIS traces its origins to the growing recognition of cybersecurity as a vital component of national and economic security within the EU. The first iteration was adopted in 2016 in response to increasing cyber threats targeting essential services and critical infrastructure operators. It aimed to ensure a common high level of cybersecurity resilience across key sectors such as energy, transportation, finance, healthcare, and digital infrastructure. As part of this, it mandated for member states to identify operators of essential services (OES) within these sectors and impose cybersecurity obligations on them, including risk management, incident reporting, and cooperation with competent national authorities. For mergers, acquisitions and divestitures (M&A/D), of course, the situation was a little more complicated.
The risk of M&A/D
In general, M&A/D transactions represent huge risks on their own. They put stress on existing standards, are full of one-off scenarios that are hard to plan for, and typically involve low levels of operational effectiveness and a lack of clarity around the status quo of existing technology architectures. More specifically, they create unique challenges when it comes to cyber attacks and related risks, as no organization wants to buy a breach.
In a recent VPN Risk Report survey by Zscaler ThreatLabz, 69% of respondents reported concerns around the impact of M&A on their existing VPN infrastructure, spotlighting the potential vulnerabilities that can arise from organizational changes, like the integration of disparate networks. 56% of organizations claimed to have experienced one or more VPN-related cyberattack in the last year alone—up from 45% the year before—highlighting the growing frequency and sophistication of attacks targeting these services.
Now more than ever, technology M&A/D leaders need to assume responsibility for offsetting the risk of legacy technologies, such as VPNs or firewalls, with the envisaged transaction results (e.g. synergy savings). From an infrastructure perspective, this means that transacting companies need to conduct thorough pre-/post-closure due diligence regarding the cybersecurity posture of the entities involved. This includes putting greater effort into assessing their compliance with NIS 2 requirements, especially with regard to some key questions, e.g. the general cybersecurity posture or risk management practices. Not having quick, sufficient transparency into the full technology estate opens acquiring organizations to the danger of a prolonged DD process or missing impactful shortcomings in the target entity.
Actions to be taken from post closure onwards
The upcoming NIS 2 Directive must be taken into account when organizations are reporting back any red flags that they find. Integrating or divesting technology, including network and security solutions, is a complex endeavor, especially when attempting to align disparate networks, cybersecurity frameworks, processes and leading practices on an organizational level. Reflecting this, successful M&A/Ds plan and integrate NIS 2 principles on an enterprise and solution architecture level early on in the process in order to ensure value creation from the integrated system landscape. The three imperatives for a NIS 2 compliant technology architecture are simplicity (lean footprint), effectiveness (support relevant e2e processes), and efficiency (automate, lean governance)—combining to help organizations to avoid typical pitfalls, like:
Opaqueness of the acquired company‘s network (M&A specific)—not having enough transparency even post closure is a common problem that prolongs evaluation timelines and dismantles holistic conceptual planning.
Failing fast user to application connectivity—New M&A/D playbooks need to adapt NIS 2 while taking out factory-like activities like network integration and point solution consolidation.
Lack of well defined documentation—The documentation of the as-is technology blueprint helps to provide recommendations on shortcomings fast and adapt to a NIS 2 compliant state.
A recent Zscaler survey has shown that primary ownership of NIS 2 does not necessarily sit solely with the CIO/ CISO (42%), but also within business divisions (58%). This is another reason why successful M&A/D must anticipate NIS 2 requirements on a tactical level within the overall operating model (and plan activities accordingly), as well as assigning clear accountability for all relevant end-to-end business process areas. All parties involved in the transaction must address their own cybersecurity responsibilities, incident reporting requirements, and liability allocation as part of their contractual agreements (e.g. Migration Agreement, TSA) to mitigate legal and financial risks from day 1 of the M&A/D and beyond.
Further guidance and recommendations can be found in the Zscaler Whitepaper, 'Enhancing Cybersecurity In the EU: An In-Depth Look at the NIS2 Directive and Its Impact On M&A/D‘, which is available for download here.
↧