October 8, 2019 By Adeeb Rashid 3 min read

Mergers and acquisitions (M&As) are a critical part of doing business in our modern, hypercompetitive world. Of all the factors that go into the valuation of a deal, cybersecurity occupies a prime place of importance. Ignoring it is a recipe for disaster.

When an enterprise overtakes or acquires another one, it takes over that company’s assets and liabilities as well. The valuation of the deal accounts for these factors. Nowadays, taking over a business entails absorbing its digital operations too — which means potentially opening the parent organization to cybersecurity threats and the risks associated with acquired applications and information systems.

That’s why it’s so crucial for business and security leaders to perform due diligence when finalizing M&A deals. Failure to do so can jeopardize the deal’s anticipated value. On the other hand, early detection can go a long way toward resolving cybersecurity issues in time.

Is Cybersecurity on Your M&A Due Diligence Checklist?

Of all the risks associated with M&A deals, cybersecurity issues rank right at the top. Besides violating rules and regulations, cyberthreats erode the assets of the merged entity, thereby damaging its reputation and derailing its growth in the market.

An acquired entity always endeavors to maximize its returns in every way. At the same time, the acquirer’s network needs to ensure adequate valuation of the deal so that it becomes a sustainable asset. Investment in cybersecurity is, therefore, a critical factor.

Cybersecurity is crucial in all kinds of businesses; it is not limited to tech establishments alone. For example, a restaurant chain is as vulnerable as an e-commerce retail store because consumers use their credit cards for payment. A data breach in either industry can cause enormous losses to consumers and, ultimately, the business.

The vulnerabilities present in untested or unreliable systems acquired as part of M&A, if exploited, could potentially:

  • Affect the day-to-day operations of the merged entity and availability of information systems;
  • Lead to loss of finances, regulatory fines and/or legal repercussions;
  • Damage the morale of both new and existing employees after a M&A has taken place; and
  • Result in reputational damage to the enterprise.

Cyberattacks can compromise much more than just credit card data. For example, an attack on a pharmaceutical producer could compromise a well-guarded formula for a drug, the breach of a manufacturing entity could compromise product designs, and an insecure distribution network might put transportation models at risk. Simply put, cybersecurity issues affect every business model.

How a Data Breach Can Derail a Merger or Acquisition

Data breaches represent one of the greatest risks companies face during an M&A deal, and a breach can reduce the value of an agreement considerably — in some cases, to the tune of more than $350 million, or about 7 percent of the original price.

If a malicious actor hacks into a company’s network, the threat could remain undetected for a long period of time, even when sophisticated cybersecurity systems are in place. When this happens, the merged entity’s security team may not discover the breach until after the M&A deal has closed. That’s why it’s so crucial to conduct a thorough cybersecurity assessment before merging with or acquiring a company.

Even if a company’s bottom line is unaffected by a security lapse, its reputation could take a severe hit. It may be impossible to know just how much data was lost in a breach and, therefore, to assess the resultant damage. What is certain is that data breaches erode customer trust.

Many enterprises have cyber insurance coverage, but whether a firm will actually cover a data breach is a matter of conjecture. Even if insurance does offset the costs associated with a breach, companies need to practice due diligence to keep prices from falling during a M&D deal.

M&A Cybersecurity Assessment Checklist

Business and security leaders should take the following preventive and detective measures to ensure due diligence and vigilance during a merger or acquisition:

  • Conduct a third-party cybersecurity audit of the information systems being acquired to detect any vulnerabilities and assess the current state of cybersecurity.
  • Take careful stock of the organization’s technological assets and liabilities before completing acquisition formalities.
  • Take advantage of third-party services to assess the cybersecurity posture and maturity of the organization being acquired.
  • Proactively assess and monitor the networks, applications and other systems on both the acquirer’s and the seller’s side.
  • Assess the resilience posture of the target acquisition’s third-party vendors.

It is impossible to achieve total, fool-proof protection from enterprise security threats, especially with increasing pressure and competition in the marketplace prompting companies to join forces. However, there’s no excuse for cutting corners on your due diligence when, depending on the size of the companies and severity of any vulnerabilities discovered before, during or after an M&A deal, up to hundreds of millions of dollars — not to mention your customers and reputation — are at stake.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today