Indian mergers and acquisitions (M&A) activity grew by 38 per cent in 2024, with 2,186 deals totalling $116 billion. However, mergers like those of the Air India-Vistara merger, Tesla and Tata Electronics, Reliance and Disney, etc., also bring in new security risks, said Ben Goodman, SVP and General Manager at Okta APJ. In conversation with businessline, Goodman discusses cybersecurity challenges emerging from these trends, particularly in companies seeking to leverage AI.
Are there any recent examples, specific to India, where you have seen that M&A increase cybersecurity vulnerabilities?
Within India, there’s obviously been quite a few high-profile cyber exposures over the last couple of years across various sectors, telco, and healthcare. Manufacturing is the most prone to such attacks. Companies that do a lot of construction have typically got a larger volume of users that might not be regular technology users. They might be factory workers who use basic services for email and payroll and, thus, less robust cyber security policies leading to more susceptibility to phishing.
In terms of value, how much can these frauds impact the company?
The average cost of a breach goes up every year. I think the last IBM statistic for the average cost of a data breach was about $5.1 million, or ₹19.5 crore from an Indian perspective. The time between breaches is decreasing dramatically. A breach that used to occur on average once every 36 months now happens once every 17 months. So it’s not just the cost—it’s also the frequency of breaches and the nature of the breach itself, such as customer data for companies with high Personally Identifiable Information (PII) risk, or actual financial crime where people try to steal assets.
What is the most common source of such data breaches?
Overall, 40 per cent of data breaches during M&A come from third-party suppliers. So it’s not just the employees in the company, it might be marketing firms they’re working with or logistics providers who also have systems access or contractors. If you have a company in India that says they’ve got 5,000 employees, around 2,000 could be contractors in that company.
Do you have a ratio or percentage that shows how the risks might increase when a company is going through an M&A?
Around 84 per cent of the global cyber attacks stem from identity-based attacks. Identity is most exposed in a business when people are not aware of the company process. The maximum time that would happen is at a point in M&A when a large volume of new people are coming into a new company. The susceptibility to exposure is higher than that of an organization in normal kind of business operations. Smart threat actors know when two companies are acquiring, how to scour LinkedIn and find employees from both sides of the company.
How much of a concern is people using AI for their corporate work?
There are two elements of AI: it can in-source more capabilities into companies, minimising how many third parties they have to use. The flip side is that AI then has access to lots of systems. Therefore, anyone who gets access to a company’s AI system has access to broader systems to do more damage. If not secured correctly, AI can be used by a threat actor to compromise an organisation faster. That’s why securing non-human identities (AI agents or chatbots) is critical. Actually, companies can create a lot more risk and exposure when their AI systems are potentially compromised. AI companies recognise this early and lean into identity services like Okta’s to control non-human identities.
Do these dangers worsen before, after or during the M&A?
During the M&A, organisations tend to go through a series of new personnel unfamiliar with business processes, other people, etc. So, companies have the highest exposure to phishing attacks and identity takeovers at the point of M&A. However, that’s not the only risk element in the cycle. If organisations don’t get the technology integration right during the merger, it can bring in some pretty material, long-term security gaps into the business. This exposes them to a range of problems around collaboration, account takeover, and credential stuffing. They end up carrying long-term debt. With every new M&A, the risk and exposure they can carry forward increases.
Do you feel Indian companies should be working on a special department to address this issue, especially when the M&A is coming up?
There are two particular companies in India that do M&A every 30 to 40 days. They have a technology acquisition team that thinks about this first. They ensure that every person joining the company has a standard method of access and control before they make any system changes. That helps with security policies, merging together systems, and staff identification right from Day 1. So, we’re already seeing companies that have done these practices very successfully, but it requires having a specific team skill set on the M&A team that just looks at the digital identity of the incoming group before business integration.
