BID® Daily Newsletter
Dec 7, 2021

BID® Daily Newsletter

Dec 7, 2021

Have You Considered These Cyber Risks With Your M&A?

Summary: Bank mergers and acquisitions in the US hit $52B at the end of September, according to S&P Global and community financial institutions have been very active players. While exploring this option and developing your M&A strategy, it is important to not only consider the usual operational and credit risks, but also the potential for increased cyber risk. Here are three cyber risks to put on your radar.

Workplace trust is key for the performance, innovation, and longevity of organizations. So, we found it interesting that the Harvard Business Review reported 58% of respondents trusted strangers more than their own bosses. This is likely not the case with community financial institutions (CFIs) as they are more in-sync with their staff, but interesting information nonetheless.
Trust is also important in merger and acquisition deals, which have been booming lately. Indeed, by the end of September 2021, M&A activity among US banks was already nearly double the total deal value of mergers for the entire year of 2020, according to S&P Global Market Intelligence. As we noted in our BID article, Bank Merger Deals Hit $52B – How Will Community Banks Fare, it is not just the big banks doing deals either. The activity includes community banks and credit unions pairing up as well as community banks buying other community banks. The strategic merger can expand local presence, boost scale, and provide operational efficiency. But given all the moving parts of a merger — technologically, managerially, operationally, and more — CFIs must be on their guard to protect against particular cybersecurity vulnerabilities that can arise specifically during M&A. 
Three cyber risks
  1. Increased risks of business email compromise. When two CFIs come together, there is often a long period where the employees and even the executives from both institutions are adjusting to each other and attempting to accommodate each other. This presents the perfect environment for a wily bad actor to impersonate an executive from the one CFI, requesting important data or the release of funds by an executive of the other CFI. In the interest of a harmonious partnership, the usual due diligence may be skipped. To avoid this issue, both institutions should inform their IT teams of this potential risk and communicate appropriately with employees from the earliest possible point.  
  2. The merger of systems. When CFIs come together, so too must their networks, their data, and their multiple front- and back-end systems. As this integration is taking place, there are typically a number of moving parts internally at both institutions and their respective third-party core providers, as well as with other technology vendors. Since these integrations can go on for upwards of six to 12 months, this can present a myriad of opportunities for cybercriminals to exploit the transition. Both IT teams should be communicating well to prevent this too. 
  3. Unhappy employees. Mergers usually mean greater efficiencies, but they can also lead to employee layoffs or reassigning some managers or executives to a position below their previous one. This can hurt egos and potentially lead to malicious insiders (especially those recently let go). While your HR teams are involved from the early stages of M&A, it is important that they act on any issues of this kind promptly, while IT teams should carefully monitor any suspicious actions and remove all access points for laid-off employees swiftly.
These potential bank merger cyber risks should be on your radar, if you plan for any type of merger or acquisition. Make sure to have a strategy in place that incorporates both these potential perils and the ways to prevent them. This preemptive plan could save you not only time and money, but also reputation.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

DORA as a Guideline for Heightened Cybersecurity
As European financial institutions prepare to adhere to the EU’s Digital Operational Resilience Act, CFIs may find value in using these rules and regulations to help shape cybersecurity initiatives.
How Much Is Your CFI Really Worth?
Sales data suggests a gap between buyer and seller price expectations in M&A. CFIs can maximize value by finding strategic business combinations that leverage both sides’ strengths and minimize weaknesses.