Tackling internal and external fraud during merger and acquisitions (M&A) in telecom
Mergers and acquisitions (M&A) in any industry are expected to boost financial and capacity growth, consolidate intellectual and other assets, leverage strength, diversify offerings, reduce financial risks, and streamline costs. However, the picture is not always rosy after an M&A. Skeletons tumble out and the acquiring company ends up with a tangled mess in their hands. Fraud detection and management during M&As is a critical aspect of any such transaction.
Companies with large customer bases, such as telecom companies, are always at risk of data breaches and if such a company is acquired without knowing the whole truth, the acquiring company’s costs will shoot up exponentially. The brand name will take a hit too. Therefore, a critical M&A factor today is cybersecurity due diligence. It has become imperative to protect partner, employee, and customer data in addition to intellectual property.
Cyber risks and cybersecurity
Cyber risks can explode to such huge dimensions that an M&A transaction may have to be abandoned completely. Although lawyers, accountants and CXOs are involved in M&A, they often do not have the necessary cybersecurity expertise to completely understand the risks of a breach. Cyber risk due diligence requires a collaborative effort between business, legal and technical advisers who have the necessary expertise and experience to identify and assess the information relevant to the transaction.
The due diligence strategy must be tailored on a case-by-case basis. Cybersecurity has acquired board-level importance only recently; so, it is still in its nascent stages. However, frameworks and best practices guidance do exist and should be used under expert advice to improve the agility* of a transition.
Cybersecurity incidents can cause a variety of losses — loss because of business interruptions, loss of critical data and trade secrets, financial losses, brand depreciation, harm to reputation and drop in customer loyalty. The cost of handling such incidents is huge. In fact, fraud litigation after M&A transactions has become so common that fraud is given special importance in the acquisition agreement, so as to minimalize any misunderstanding after the event.
Cybersecurity has begun to play a larger role in M&A, especially over the past few years. Several acquiring firms have had to face huge losses because the target company’s past data breaches were identified very late.
Fraud risks and types
A few common fraud risks, other than accounting fraud, include the following.
Insufficient employee background checks: Thorough background checks of employees can keep fraudulent people out of a company, but an acquiring company rarely has the resources to check every significant employee’s background. As a result, fraudulent employees, if any, come as part of the acquired company. Once the merger is complete, such individuals get further opportunities to commit fraud.
Adopting fraud unintentionally: Along with a detailed appraisal of a business, the due diligence process also evaluates the assets, liabilities, and commercial potential of the company. Often the financial analysis is not deep enough and misconduct such as payroll or procurement frauds slip in through the cracks. In such cases, the acquiring company has no option but to ‘adopt’ the frauds.
Effect of layoffs: M&As frequently lead to some loss in employment. While the cost savings of layoffs are appreciated, it has a negative aspect too. Along with the outgoing employees, the company loses valuable experience, expert knowledge that’s undocumented and the sense of responsibility and loyalty that the employee feels towards the company. It can take months or years to replace that loss.
Further, fraud risks increase. Employees of an acquired company are easy targets for fraud by external sources. An employee with an expert or incriminating knowledge can use that knowledge for financial or other gains. One cannot rule out the feelings of frustration of an unemployed person to get back at the employer. When at risk of being laid off, employees are vulnerable and do not feel particularly loyal to their employer. Such gaps must be addressed judiciously.
Data breach: While data breaches can happen at a personal level, the possibility of a huge customer data breach is a reality too. Reports of such cyber thefts need to be divulged during an M&A for a smooth transaction. However, that does not always happen. As mentioned above, during an M&A, such data breaches can happen intentionally too.
Social engineering attacks: Cybercriminals are increasingly using social engineering techniques to exploit people. On one hand, security software is becoming more robust; but on the other, the human brain’s capacity to find new ways to trick other humans is on the rise too. Online and offline means are used to con users into divulging all kinds of sensitive information. The most common form of social engineering attack is phishing. Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites.
Phishing, smishing and vishing: When a fraudster tricks people into divulging personal information that can be used to steal identity, that is called phishing. It is the most common type of social engineering attack. Unsuspecting users click on links to malicious websites or open infected email attachments to become a victim of phishing. When text messages are used to carry out such fraud, it is called smishing; and, when the information is sourced over the phone, it is termed vishing. The database of phone numbers could be sold by a disgruntled employee too.
Business email compromise (BEC): These include highly targeted emails that trick people into handing over money or corporate data.
Port out scam: Once phone numbers are leaked, fraudsters can easily use this data in many ways. Port-out scam is a well-known trick. The phone company is fooled into porting out the number to a different provider. The scamster then attempts to access the customer’s financial details, social media accounts, and private texts and calls. The gamut of scams that can be unleashed with the possession of a phone number and a few personal details is almost unlimited. There are many other ways that social engineering attacks take place.
The way out
Perhaps, the only way to manage cyber risks during an M&A transaction is to consider cyber risks at every stage of the transaction - during the deal processes, at the due diligence stage, while drawing up the transaction agreement and during post-transaction activities. After all, a successful merger must not only lead to good results but also lay the ground for those results to be achieved with minimum monetary and reputation loss.
* For organizations on the digital transformation journey, agility is key in responding to a rapidly changing technology and business landscape. Now more than ever, it is crucial to deliver and exceed on organizational expectations with a robust digital mindset backed by innovation. Enabling businesses to sense, learn, respond, and evolve like a living organism, will be imperative for business excellence going forward. A comprehensive, yet modular suite of services is doing exactly that. Equipping organizations with intuitive decision-making automatically at scale, actionable insights based on real-time solutions, anytime/anywhere experience, and in-depth data visibility across functions leading to hyper-productivity, Live Enterprise is building connected organizations that are innovating collaboratively for the future.