Aarya Gurjar
Abstract: In the era where cybersecurity risks are at an all-time high, developing strong and comprehensive incident readiness plans is essential, especially in the context of M&A transactions in the Technology, Media and Telecommunications (TMT) space. In today’s data-driven economy, even a single cybersecurity lapse can lead to reputational losses that extend far beyond financial losses to the company. This article explores the growing importance of developing breach response plans for M&A strategy in the TMT sector. It discusses that incident response plans must not only be developed for the sake of regulatory compliance but also as a cybersecurity and regulatory compliance mechanism. By discussing real-life examples of Yahoo-Verizon and Mariott-Starwood acquisitions, the article highlights the importance of incident response plans at the time of Mergers & Acquisitions. The article highlights best practices for incident readiness. It also highlights the growing development of statutes across the world to mandate the development of cybersecurity plans in the companies. It concludes by stating that companies which have well-developed incident response plans are able to survive in the longer-run maintaining long-term competitiveness, stakeholders’ trust and increasing the chances of successful M&A deals. Companies must acknowledge the importance of incident response plans in achieving their strategic objectives and protecting themselves from data breach disasters.
Keywords: Cybersecurity, Data Protection, GDPR, Incident Response, TMT.
Introduction
Mergers of companies refer to pooling together the resources and operational processes of two separate entities for building a new single entity. This is done to ensure that the single entity formed to increase the firm’s efficiency in the market and enhance innovation. However, not every merger is a success. Many entities die due to mergers specifically because they do not plan for the possible risks or threats. These threats can be of many types. This article discusses cybersecurity[1] risks related to mergers and acquisitions and how companies can curb them through effective planning. Mergers lead to coming together of two different IT infrastructures which can become a prime target for cyber-attacks. Currently, there has been a significant increase in cybersecurity threats like ransomware threats and data thefts. The TMT companies, in particular, have reported at least one data breach occurring during M&A transactions, highlighting the need for pre-emptive breach planning. Such risk is higher in TMT companies as they deal with vast data of individuals, opening up opportunities for cybercriminals. Companies must take cybersecurity measures to protect themselves from cybersecurity threats. To prevent such threats from materializing, Incident Readiness is necessary. It includes developing Incident Responses plans. The introduction of laws such as the Digital Personal Data Protection Act in India and the evolving General Data Protection Regulation in Europe etc. prove the urgency of developing incident response plans for companies.
What is Incident Readiness?
Incident Readiness involves understanding the legal obligations like notifying in case of data breach and the penalties for non-compliance of such legal obligations. It is not just a technical protocol but also a legal and strategic function that protects a company from cybersecurity breaches. Incident Response Team must include members from: legal background who would ensure regulatory compliance, IT background for technical works and Human Resource personnel for providing necessary internal information about the companies.
Incident Responses in Mergers & Acquisitions
Typically, incident readiness in M&A transactions involve the following:
a. Scanning: Scanning both entities for proper auditing of any data breaches can help minimize the risks of cybersecurity threats resulting from M&A deals.
b. Transaction Phase Monitoring: When the transaction is undergoing, the companies must regularly perform risk assessments of data breach. A risk assessment[2] matrix should be developed to plan responses for potential data breach risks.
Post-Merger Integration: Regular security training programs must be conducted to make the employees aware about the technicalities of data breach responses.
Breach Drills: Companies are recommended to conduct breach simulation drills both before and after merger.
Regulatory Compliance[3]: Companies must ensure that they adhere to the jurisdiction specific regulations for data protection.
The Challenges
Merger of companies tends to bring many challenges- be it cultural or cybersecurity challenges. The lack of technical teams to avoid cybersecurity risks in the companies can lead to various unforeseen risks and vulnerabilities. Such risk arises because when merger takes place, it leads to the combining of two entities which operate in separate technology. Thus, when these two companies merge, it creates security gaps which poses cybersecurity risks on the company formed after such merger. Failure to curb such gaps can result in exploitation by the cybercriminals.
Case Studies
A recent example of significant breach in M&A transactions was Yahoo’s acquisition by Verizon. This acquisition highlights the importance of having proper data breach responses in M&A transactions. Yahoo reported two significant data breaches, affecting around 1 billion users. Yahoo faced multiple regulatory investigations which caused an immense downfall in the reputation of Yahoo. This led to significant reduction in the value of the acquisition. It highlighted that Incident Readiness is not only about protecting data but also saving a company’s reputation to go down.
Another case is the Mariott-Starwood Acquisition in the year 2016. This acquisition underscores the importance of historical security audits in M&A deals. After the acquisition of Starwood hotels by Mariott, significant data breach was reported in Starwood, compromising the data of over 500 million guests. The company thereafter spent $200 million in developing incident response plans.
Best Practices for Maintaining Incident Readiness
To ensure that organizations are well prepared for any kind of foreseen risk related to M&A, the following practices must be ensured:
a. Engaging Cybersecurity Experts in M&A Practice: It is very important to keep cybersecurity[4] experts in picture right from the commencement of the procedure for merger.
b. Regular Training: Regular training in the form of mock drills is necessary to ensure that the members are well-trained and prepared for any kind of emergency in which their role is important.
c. Timely Upgradation: Incident Responses plans must be modified and updated in accordance with the changing technology. As technology develops, Incident Response Plans need to align with it.
d. Artificial Intelligence[5]: Organizations must take the aid of AI because it will help in enumerating most possible predictions of threats which will ultimately help in building more accurate plans.
e. Strategic Investment in Cybersecurity Infrastructure: Companies should not do cost-cutting in installing cybersecurity equipment. A good investment in developing cybersecurity walls gives long term security benefits to the companies.
f. Due Diligence: Performing due diligence activities like time-to-time assessment of cybersecurity walls, penetration tests etc. must be done to check the overall efficiency of the cybersecurity measures undertaken by the company.
g. Cybersecurity Framework: Companies must have a strong cybersecurity framework. This includes data protection, regulation of third-party engagement etc. Such framework is both a tactical and strategic plan for Mergers & Acquisitions.
Regulatory Framework
The regulatory burden in TMT-M&A has increased sharply with the coming of new legislations across the globe. Companies are now required to comply with:
a. Digital Personal Data Protection Act 2023: While the act is not yet fully implemented, the Ministry of Electronics and Information Technology (MeitY) has been issuing regular advisories. The act contains provisions for data minimization, clear consent etc. Key provisions relating to data breach include informing about the data breach within 72 hours of knowledge of breach, mandatory risk assessments for high-risk posing activities and penalties of upto Rs 500 crores for significant data breaches.
b. Information Technology Act, 2000: It penalises the disclosure of personal information of users without their consent.
c. Specific Regulations: Companies are also required to comply with the time to time Regulations issued by authorities such as TRAI, MeitY, SEBI etc. Failure to comply with these regulations results in loss of reputation and potential litigation.
d. General Data Protection Regulation: For M&A transactions in the European region, this regulation has to be complied with. Article 33 of GDPR mandates breach disclosure within 72 hours.
e. China’s Personal Information Protection Law: It mandates security assessment for cross-border data transfers. It also requires specific approvals when personal data of individuals has to be processed.
Conclusion
Incident Readiness in TMT-M&A is no longer just a best practice, but a necessity. Without proper Incident Response Plans, companies expose themselves to the risk of regulatory penalties and loss of consumer trust. Incident readiness must be practiced at every stage of the transaction, that is, from valuation to post-deal monitoring. Companies must ensure that they comply with the necessary regulations like the Digital Personal Data Protection Act, 2023 or the GDPR. As seen in real-life examples inadequate incident response plans can cost a company to decrease its deal values and cause significant downfall in its reputation. In contrast, proper incident response plans enable a company to have higher valuation of deals and survive in the market in the long-run. Organisations that adopt these measures will have competitive edge than those who do not. Companies must also strive to hire cybersecurity experts for conducting third-party audits to foster the culture of cybersecurity in the workplace. Incident response plans must be seen as a competitive strategy, especially during high-stake events like Mergers & Acquisitions. Thus, the need of the hour is for the companies to recognise the importance of investing in incident response plans not just as a regulatory mandate but to protect themselves from severe consequences of data breaches in the long-run.
Notes:
[1] “Strategic and Tactical Actions for Mergers and Acquisitions”, Grant Thornton, 13th July 2021, available at < https://www.grantthornton.com/insights/articles/advisory/2021/cybersecurity-in-ma-strategy>.
[2] David Mapgaonkar, Ruben Roma, et.al., “Beyond Number: Critical Role of Cybersecurity in M&A Deals”, The Wall Street Journal, 30th March 2024, available at < https://deloitte.wsj.com/riskandcompliance/beyond-numbers-critical-role-of-cybersecurity-in-m-a-deals-6aba020c>.
[3] “Cybersecurity Due Diligence: Safeguarding M&A”, Sapphire, available at < https://www.sapphire.net/blogs-press-releases/cyber-security-due-diligence-safeguarding-mergers-acquisitions/>.
[4] “Mergers & Acquisitions Trigger Unique Cyber Challenges: What Should Businesses Do to Overcome It”, KPMG, 8th February 2024, available at <https://kpmg.com/us/en/media/news/cyber-risks-in-mergers-acquisitions2024.html#:~:text=When%20companies%20merge%2C%20it%20creates%20significant%20cybersecurity%20challenges,presents%20its%20own%20challenges%20from%20a%20cyber%20perspective.> last accessed on 17th June 2025.
[5] “The Critical Importance of a Robust Incident Plan Response”, Sygnia, 16th January 2025, available at https://www.sygnia.co/blog/critical-importance-incident-response-plan/ last accessed on 12th June 2025.
