Skip to main content

Cybersecurity Due Diligence in M&A

Posted on June 30th, 2021

Mergers and acquisitions (M&A) enable companies to add products and services to their portfolios, giving them a way to scale their business. To gain true visibility into a company’s long-term impact on your organization’s bottom line, you need to understand all assets and liabilities, including digital ones. If you’re looking to add to your current portfolio, understanding how cybersecurity due diligence in M&A can help you appropriately evaluate the way security posture impacts your financial bottom line.

When should organizations engage in a cybersecurity risk evaluation?

Acquiring or merging companies should engage in a cybersecurity risk evaluation as soon as possible. However, research indicates that most organizations wait until the transaction execution stage before assessing cybersecurity.

According to a Q4 2019 IBM Institute for Business Value survey, of 720 executives responsible for M&A functions at acquirer organizations, more than ⅓ said they experienced a data breach attributed to M&A activity during the integration. Moreover, almost ⅕ experienced breaches post-integration. Further, only 38% of organizations engage in a comprehensive cybersecurity assessment prior to the transaction execution phase.

Waiting until the M&A is nearly complete leaves organizations unprepared for long-term financial risks. As soon as M&A news begins circulating, cybercriminals look to find backdoors into one or the other party’s networks and systems. Leveraging a security weakness at this stage gives malicious actors a short-term and long-term benefit. They can gain access before the merged or acquired entities notice security weaknesses and fix them. They can also hide in the networks and systems post-M&A since they exploited the vulnerability, giving them access to both company’s sensitive information.

The earlier companies can effectively and objectively evaluate cybersecurity risk as part of the M&A process, the better they can evaluate the total cost of assets and liabilities.

An M&A cybersecurity risk checklist

As with other assets, the two parties to the transaction need visibility into the whole liability picture.

Create a cyber aware M&A team

You need to make sure that you’re including cybersecurity professionals as part of any M&A activity. When building out your team, you should consider:

___ Including the CISO

___ Creating a formal reporting mechanism for cybersecurity risk

___ Understanding your organization's cybersecurity risk tolerance

___ Creating metrics for measuring target cybersecurity

___ Align business strategy with cybersecurity risk

Review target organization cybersecurity posture

You need to understand how the target organization views security. Understanding the maturity level is a good way to get started. This includes requesting and reviewing:

___ Publicly available data breach information, including news reports or data breach notifications

___ Cybersecurity risk assessments

___ Cybersecurity policies, processes, and procedures

___ Review of incident response policy

___ Recent audit reports

___ SOC Type I or Type II reports

Digital asset discovery

Organizations can only protect the digital assets that they know they have. Asset discovery is the process of identifying and cataloging all active and inactive users, tools, and devices that connect to a network then mapping their usage.

As part of the due diligence process, organizations should ensure that they have an up-to-date asset catalog that includes:

___ All IP addresses

___ User inventory

___ Network devices (routers, switches)

___ Physical and virtual machines

___ Cloud services providers

___ Workstations

___ Data storage locations

___ Application stack

Engage in independent review

As part of the process, you need to ensure that the records provided are up-to-date. The further into negotiations you go, the more assurance you need.

Although you may not want to engage in a full-blown audit, you should consider:

___ Reviewing penetration test reports

___ Engaging a penetration testing firm

___ Deep web and dark web research for leaked information, like sensitive data or credentials

___ Network monitoring

Apply financial value

After gathering the information, you need to consider how it impacts the overall deal. The research only adds value to your M&A activities if you can quantify the liabilities.

Similar to how you evaluate cybersecurity risk before engaging with a third-party vendor, you need to consider potential costs arising from:

___ As-yet undiscovered data breach security vulnerabilities prior to M&A

___ Need for new detection tools

___ Need for new monitoring tools

___ Need for new investigation tools

___ Additional staffing

___ Potential security weaknesses occurring during integration

___ Cyber risk insurance premiums

SecurityScorecard: Risk monitoring for M&A

M&A activities enable your organization to scale. However, to fully realize the business value from a merger or acquisition, you need full visibility into all financial risks, including those from cybersecurity.

SecurityScorecard’s security ratings platform offers real-time risk visibility across ten categories of risk. SecurityScorecard’s Atlas platform uses Artificial Intelligence (AI) and machine learning (ML) to help organizations send and validate security questionnaires. Our secure platform makes it easy for you to send M&A security questionnaires and validate responses in real-time.

Return to Blog
Join us in making the world a safer place.