The past two years have seen record volumes of deals, pushing M&A and transaction advisory
practices to the forefront of many consulting providers’growth strategies. So far, 2018 is shaping
up to be a very good year. However, many consulting firms have begun to incorporate cyber
security into their TAS service portfolio. ALM Intelligence’s finance & operations consulting
research team spoke with FTI Consulting’s Anthony J. Ferrante, a Senior Managing Director
and the Global Head of Cybersecurity for FTI, about cyber security and the transaction advisory process.
Q&A with FTI Consulting’s Anthony Ferrante
: How should com-
panies approach cyber security needs?
Ferrante: Cybersecurity needs to be
part of every company’s strategic
growth strategy. As your organization
becomes larger and more well-known
among clients and industry peers, it
also becomes a more attractive target
for malicious cyber actors. Investing
in cybersecurity means investing in
the safety of your organization’s most
critical assets—the very assets that
may need to be leveraged to propel a
company’s growth strategy in the near
to long-term future. Strengthening
cybersecurity policies and procedures
gives corporate leaders the confidence
they need in their organization and
assures investors that their interest in a
company is protected.
: Where are the
biggest vulnerabilities for companies
today in the transaction process?
Ferrante:: In any due diligence efforts
conducted as part of a transaction, an
acquirer should absolutely assess its
target’s cybersecurity infrastructure
and risk posture. Failing to do so could
lead to the discovery of a breach or
larger threats later down the road. In
addition, during a transaction—a time
in which companies must be extremely
cautious in the sharing of privileged
information—companies should ensure
that any engaged vendors have robust
cybersecurity measures in place at their
organizations. If a breach were to occur
as a result of one party’s inability to
secure confidential information, it is
possible that the larger, more consumer-
facing organization involved would be
blamed for the incident.
: What should be the
priorities—on the buyside or sellside?
Ferrante: Cybersecurity priorities
should include protecting privileged
information and ensuring that both
entities are aligned in the ways they
protect confidential data. On the buyside,
companies should look into their target’s
cybersecurity policies and procedures,
history of breaches, and understand what
investments may be needed to further
insulate the target’s most critical assets
from a future incident. On the sellside,
organizations should internally assess
their current cybersecurity infrastructure
and strengthen it where necessary preacquisition, effectively demonstrating to
an acquirer their ability to protect critical
information and ultimately ensuring that
there is more control over current systems
during a moment of transformation.
: The deal process
has become increasingly complex.
What does FTI do to help clients keep
a sharp focus on cyber security issues
during (and after) the process?
Ferrante: At FTI Consulting, our
cybersecurity experts work with clients
of any size to address their needs at the
most critical times, helping companies
integrate new solutions with existing
policies and procedures to mitigate
inevitable cyber threats. At the outset of
a transaction, we can help companies on
both the buyside and the sellside review
their cybersecurity infrastructure
through tools like vulnerability
assessments, penetration testing, and
adversarial hunt team operations.
: Does any region
pose a greater challenge in terms of
cyber security in TAS than others?
Ferrante: Companies based in various
regions may be operating under varied
cybersecurity standards. As such,
cross-border mergers and acquisitions
may have an added element of
regulatory harmonization that could
introduce challenges over the course of
a transaction. For example, Europe’s
new data privacy law, the General Data
Protection Regulation (GDPR), takes
effect this month; new regulations
like this require additional attention.
Furthermore, geopolitical tensions can
play a significant role in heightening
regional cybersecurity risks. As nation-state actors become more sophisticated,
companies need to increase their
proactive preparedness and awareness
to safeguard their systems.