If you handle Mergers and Acquisitions (M&A) or Stock Valuations, “heads-up”: the FBI has recently made an announcement that’s relevant to you.

Ransomware continues to plague businesses of all sizes, but according to a recent FBI Private Industry Notification, ransomware threat actors are now specifically researching publicly available information to identify their next targets. Specifically, they are looking for victims with “time sensitivesignificant financial events,” such as mergers and acquisitions (M&A) or stock valuations. What’s their end goal? According to the FBI, “If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.” That kind of disclosure could have an adverse effect on a company’s stock, new investors, and depending on the scale, create issues for M&As.

Ransomware is a legitimate threat

The FBI notification provides a high-level summary of ransomware attacks, explaining how a ransomware attack is typically multiphase, “beginning with an initial intrusion through a trojan malware, an access broker to perform reconnaissance and determine how to best monetize the access.” Ransomware actors/gangs are monetizing their attacks at an astonishing rate.

The goal of reconnaissance is to identify information that is not-publicly available and use that “as leverage during the extortion to entice the victims to comply with the ransom demands”.

The costs of an attack can be substantial. According to the National Security Institute, the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020.

Outside of the payment and trying retrieve the data, other business impacts to consider are:

  • Loss of business productivity
  • Business-threatening downtime, average of 21 days post-attack
  • Decreased customer profitability
  • Failure to achieve regulatory compliance
  • Paid a ransom but data was never released
  • Ransomware remained on system and struck again

Mergers and Acquisitions

These attacks can have a particular impact on the M&A process. One of the many byproducts of a ransomware attack is public scrutiny, which could make the affected company less attractive to customers, vendors, as well as any prospective buyers. Chase Mabry, Manager with LBMC’s Transaction Advisory Services practice, explained, “At the very least, the ransomware event could directly impact the potential purchase price. Additionally, the event would trigger concerns around data validity and privacy during the due diligence process, leading to additional effort and likely increased fees. Given the sensitivity of documents provided during the diligence process, it is also very important that companies maintain a level of encrypted security when providing data and follow recommended protocols throughout each stage of data transmission and communications to avoid potential ransomware risk therein.”

One prime example of why cybersecurity should be considered in M&A events is Marriott’s acquisition of Starwood Hotels in 2016. In short, Starwood Hotels was breached in 2014, but was unaware that the breach had occurred. Fast forward 2 years to September 2016, the Marriott acquisition is complete. Marriott, having failed to identify the security breach during its pre-acquisition diligence process, connected its network to Starwood and in turn, granted the threat actors access to the Marriott environment. It wasn’t until September 2018, 4 years after the initial breach of Starwood, that Marriott identified and announced the breach. The impacts from that situation were significant:

  • Personal information for 500 million customers worldwide was exposed.
  • Marriott’s stock price dropped 5% after the breach announcement.
  • Marriott was estimated to have lost $1 billion in revenue due to diminished customer loyalty following the incident.
  • Legal costs from a GDPR claim were estimated at $125 million, and in the US, multiple class-action lawsuits were filed, including one for $12.5 billion in damages, or $25 for every impacted customer.

Paying ransoms is still discouraged

Consistent in their message, the FBI continues to discourage business from paying ransomware “[t]he FBI does not encourage paying a ransom to criminal actors.” However, the notice also states, “The FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.” If a company does decide to pay the ransom, like in the recent case with Colonial Pipeline, the FBI is urging companies to report the ransomware incident to their local FBI field office before paying.