As a merger & acquisition (M&A) deal progresses through its lifecycle, cybersecurity and data privacy risks steadily increase.
Cybersecurity due diligence is important in M&A because it provides insight into potential cyber risks and how they could affect the success of the transaction. It helps protect confidential information and company data from malicious actors who might try to use the information for personal gain.
Without proper cybersecurity due diligence in M&A, risks can be significant. In recent years, some companies are setting aside a percentage of the total transaction for the potential fallout of an impending attack. A 2019 Forescout survey shows that 53% of respondents said that their organization had experienced a critical cybersecurity issue during an M&A deal that put the deal at risk. After closing a deal, 65% of respondents regretted the deal because of potential cybersecurity issues.
Higher Success Rates: Improve the number of M&A deals that are successful and avoid fines or the cost of losing the trust of customers, partners, and investors.
Negotiations Leverage: Strengthen your negotiations for more favorable valuations by developing a proactive plan to leverage cybersecurity as a tool.
Know Where You Stand: Get a comprehensive view of the intellectual property and technological assets of the target organization.
Reduce Costs: Reduce the time and other resources needed to meet investment goals.
Productivity: Stave off costly disruptions in workflow or employee productivity by better protecting data, networks, and systems.
Enhance Security: Uncover dormant threats early on to prevent putting a deal in jeopardy or losing revenue after the deal closes.
Keep Customers Safe: Keep customer data private and compliant with data compliance regulations.
The M&A cybersecurity lifecycle consists of four steps.
It’s critical to uncover how robust the target’s data security and information technology practices are from the start. Know how serious the company is about data privacy compliance at the beginning of the M&A lifecycle. In an effort to protect against threats to national security and the data of citizens, M&A regulators are scrutinizing deals and issuing fines for non-compliance. New regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) both require that companies take steps to ensure that any personally identifiable data that is being transferred between entities as part of a deal is done so securely and in compliance with the applicable regulations.
Acquiring companies with bad cybersecurity posture will make it easier for dormant hackers to strike. If a breach occurs due to inadequate cybersecurity measures, organizations risk reputational damage and the erosion of customer, partner, and employee trust. Buyers must be thorough to uncover the amount of risk in the seller’s assets and the seller wants to manage transactional risk. Both the buyers and the sellers want to manage post-closing risks.
Develop a proactive plan to conduct due diligence through risk profiling. During the process, the buyer and seller collaborate to assess the target company’s current cybersecurity posture, identify gaps, and agree on the level of acceptable risk. This process can help reduce the financial risk of a possible data breach. Risk associated with a data breach includes costs to recover from and respond to an attack, research and legal fees, lost market, reputation damage, lower staff morale, and potential financial penalties. Having a plan can also reduce the M&A lifecycle because you have a plan to uncover risk and can start from the beginning.
Having a cybersecurity due diligence playbook is recommended. Here are key steps for your organization’s playbook:
Not only should you document this playbook for repeatable and successful due diligence, but you should also continually challenge the playbook and its assumptions to evolve with the cybersecurity threat landscape.