Acquiring a business can be an exciting time, but you can’t rule out any potential complications that may arise during the period leading up to your ownership of the company. The due diligence process can be long and grueling, not to mention occasionally upsetting.
When you purchase a company, you purchase their data, their users, their information … and their potential drawbacks, so it’s imperative that you do your research before choosing to purchase a company or merge it with your own. But just how deep should you search before a company becomes yours wholly? There are three essential things you can do to ensure your due diligence process proceeds as smoothly as possible.
1. Know the product’s value
Just like anything you would pull off the shelf in a store, a company has its own value, so it’s up to you to stay informed of the true value of the company you intend to acquire. A company may have gone through positive and negative experiences that could potentially have increased or decreased its value, respectively.
Positive experiences (increased value)
Many positive events could have occurred that would increase the value of the company that you plan to acquire. For example, has this company featured in the news before? Has it been mentioned widely on social media or had articles go viral? The higher a website’s ranking, the higher its value should be.
Negative experiences (decreased value)
On the other side, companies could have also encountered some negative experiences during their run, the most likely of which are cyberattacks. In 2018 alone, there were over 1,200 reported data breaches. An organization’s cybersecurity is one of its most essential components. Clients’ private information, as well as the company’s sensitive data, may have been compromised—and with that, trust also could have been broken. It would take a lot of bolstering to recover the company’s reputation to the point where it was before the attack, and its value would likely decrease as a result of that event. In fact, 52% of directors would only acquire a company that came with a data breach if it had a much lower price tag.
Understanding the balance between the positive and negative events that could have influenced the company’s value allows you to step back and look at the bigger picture. Is this company the right one for you, or will it do more harm than good?
2. Look into any and all incidents
When that company becomes yours, so do its data breaches, cybersecurity incidents, and everything in between. Around 40% of companies who acquired or merged with another business reported not knowing about another company’s data breach until after the deal had been finalized. Do not allow your company to be part of that statistic. Go above and beyond learning the basics of the company that you plan to acquire, and learn everything you can about any data breaches or cybersecurity incidents that may have transpired since the founding of the company or organization.
A good rule of thumb is this: do everything you can to find out everything you can. Ask current employees what happened on their end. Search through news articles that may have been written about the incident. Learn as much as you can from every side of the situation so that you will never be caught unprepared if the issue is raised—and also to ensure that you will not make the same mistakes once the due diligence process is over and you have fully acquired the company.
Knowing exactly what happened during any incidents not only prepares you to address the mistakes made by the previous owner but also helps you learn what needs fixing or improving. If a company’s cybersecurity is lacking, it will be your responsibility to bring it up to par. You will want to retain users or clients, and there’s no better way to keep them while the acquisition or merger is ongoing than to prove that the mistakes made in the past will not happen again. Customer loss attributed to data breaches in 2018 equaled up to $4.2 million.
3. Speak to the CISO
The acting Chief Information Security Officer (CISO) of the company you intend to buy should be able to answer most, if not all, of your questions. He or she is the first person you should approach about any cybersecurity worries you might have—especially if the company has experienced a data breach previously.
It has been estimated that 41% of companies have private files with valuable information completely open to anyone, with no protection. The company you plan to acquire could quite easily be in that 41%, with little (or no) security in place for their important files. By speaking with the CISO, you will be able to learn whether the company has an existing cyberattack plan or some sort of risk management program. If the company does indeed already have one, that means less work on your end. If, however, it does not, it’s best to prepare for the possibility of cyberattacks and formulate a plan ahead of time—maybe even model it on another company you own.
SecurityScorecard has your back
Are you having difficulties with your due diligence process? You are not alone.
SecurityScorecard can help you access and understand the risks before you inherit the liability. We help you examine a company's security posture, compliance adherence, and ability to quickly and effectively remediate vulnerabilities. Any evidence of data breaches should be factored into purchase agreements and integration timelines before closing deals. Critical security issues translate into real consequences.