Mergers and acquisitions (M&As) are a critical part of doing business in our modern, hypercompetitive world. Of all the factors that go into the valuation of a deal, cybersecurity occupies a prime place of importance. Ignoring it is a recipe for disaster.

When an enterprise overtakes or acquires another one, it takes over that company’s assets and liabilities as well. The valuation of the deal accounts for these factors. Nowadays, taking over a business entails absorbing its digital operations too — which means potentially opening the parent organization to cybersecurity threats and the risks associated with acquired applications and information systems.

That’s why it’s so crucial for business and security leaders to perform due diligence when finalizing M&A deals. Failure to do so can jeopardize the deal’s anticipated value. On the other hand, early detection can go a long way toward resolving cybersecurity issues in time.

Is Cybersecurity on Your M&A Due Diligence Checklist?

Of all the risks associated with M&A deals, cybersecurity issues rank right at the top. Besides violating rules and regulations, cyberthreats erode the assets of the merged entity, thereby damaging its reputation and derailing its growth in the market.

An acquired entity always endeavors to maximize its returns in every way. At the same time, the acquirer’s network needs to ensure adequate valuation of the deal so that it becomes a sustainable asset. Investment in cybersecurity is, therefore, a critical factor.

Cybersecurity is crucial in all kinds of businesses; it is not limited to tech establishments alone. For example, a restaurant chain is as vulnerable as an e-commerce retail store because consumers use their credit cards for payment. A data breach in either industry can cause enormous losses to consumers and, ultimately, the business.

The vulnerabilities present in untested or unreliable systems acquired as part of M&A, if exploited, could potentially:

  • Affect the day-to-day operations of the merged entity and availability of information systems;
  • Lead to loss of finances, regulatory fines and/or legal repercussions;
  • Damage the morale of both new and existing employees after a M&A has taken place; and
  • Result in reputational damage to the enterprise.

Cyberattacks can compromise much more than just credit card data. For example, an attack on a pharmaceutical producer could compromise a well-guarded formula for a drug, the breach of a manufacturing entity could compromise product designs, and an insecure distribution network might put transportation models at risk. Simply put, cybersecurity issues affect every business model.

How a Data Breach Can Derail a Merger or Acquisition

Data breaches represent one of the greatest risks companies face during an M&A deal, and a breach can reduce the value of an agreement considerably — in some cases, to the tune of more than $350 million, or about 7 percent of the original price.

If a malicious actor hacks into a company’s network, the threat could remain undetected for a long period of time, even when sophisticated cybersecurity systems are in place. When this happens, the merged entity’s security team may not discover the breach until after the M&A deal has closed. That’s why it’s so crucial to conduct a thorough cybersecurity assessment before merging with or acquiring a company.

Even if a company’s bottom line is unaffected by a security lapse, its reputation could take a severe hit. It may be impossible to know just how much data was lost in a breach and, therefore, to assess the resultant damage. What is certain is that data breaches erode customer trust.

Many enterprises have cyber insurance coverage, but whether a firm will actually cover a data breach is a matter of conjecture. Even if insurance does offset the costs associated with a breach, companies need to practice due diligence to keep prices from falling during a M&D deal.

M&A Cybersecurity Assessment Checklist

Business and security leaders should take the following preventive and detective measures to ensure due diligence and vigilance during a merger or acquisition:

  • Conduct a third-party cybersecurity audit of the information systems being acquired to detect any vulnerabilities and assess the current state of cybersecurity.
  • Take careful stock of the organization’s technological assets and liabilities before completing acquisition formalities.
  • Take advantage of third-party services to assess the cybersecurity posture and maturity of the organization being acquired.
  • Proactively assess and monitor the networks, applications and other systems on both the acquirer’s and the seller’s side.
  • Assess the resilience posture of the target acquisition’s third-party vendors.

It is impossible to achieve total, fool-proof protection from enterprise security threats, especially with increasing pressure and competition in the marketplace prompting companies to join forces. However, there’s no excuse for cutting corners on your due diligence when, depending on the size of the companies and severity of any vulnerabilities discovered before, during or after an M&A deal, up to hundreds of millions of dollars — not to mention your customers and reputation — are at stake.

More from CISO

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

How the Talent Shortage Impacts Cybersecurity Leadership

4 min read - The lack of a skilled cybersecurity workforce stalls the effectiveness of any organization’s security program. Yes, automated tools and technologies like artificial intelligence (AI) and machine learning (ML) offer a layer of support, and bringing in a managed security service provider (MSSP) provides expertise that isn’t available in-house. But it isn’t enough, especially for the medium-sized businesses that would most benefit from an internal security team. However, the talent shortage doesn’t just impact present-day security concerns. The lack of a…

4 min read