The FBI has taken note of a recent explosion in ransomware attacks, issuing a warning in November 2021 that attackers are using “significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.”¹ Likewise, the EY-Parthenon dedicated transaction cybersecurity team has witnessed increasing cyber attacks on companies doing deals, including cases that were very costly for the victims.
The potential damage is similar to the risks normally associated with cyber attacks — loss of protected information and data, exposure of trade secrets, legal judgments, fines and impact on customers. Financial losses can pale compared to reputational damage. And now, the stakes are far higher because there’s also a deal at risk.
For example, a $650 million acquisition by an airline of an aerospace component supplier fell apart in 2019 partly due to a ransomware attack that forced temporary factory closures at the target company. The supplier was acquired by a different company two years later.²
Fortunately, organizations can substantially reduce their exposure by guarding cybersecurity throughout the planning and execution of the transaction. Below, we explain two types of risks — transaction and counterparty risk — as well as the different phases of the transaction where these risks are likely to occur.
Transaction risk and counterparty risk
A pending deal creates vulnerabilities for hackers to exploit.