October 8, 2019 By Adeeb Rashid 3 min read

Mergers and acquisitions (M&As) are a critical part of doing business in our modern, hypercompetitive world. Of all the factors that go into the valuation of a deal, cybersecurity occupies a prime place of importance. Ignoring it is a recipe for disaster.

When an enterprise overtakes or acquires another one, it takes over that company’s assets and liabilities as well. The valuation of the deal accounts for these factors. Nowadays, taking over a business entails absorbing its digital operations too — which means potentially opening the parent organization to cybersecurity threats and the risks associated with acquired applications and information systems.

That’s why it’s so crucial for business and security leaders to perform due diligence when finalizing M&A deals. Failure to do so can jeopardize the deal’s anticipated value. On the other hand, early detection can go a long way toward resolving cybersecurity issues in time.

Is Cybersecurity on Your M&A Due Diligence Checklist?

Of all the risks associated with M&A deals, cybersecurity issues rank right at the top. Besides violating rules and regulations, cyberthreats erode the assets of the merged entity, thereby damaging its reputation and derailing its growth in the market.

An acquired entity always endeavors to maximize its returns in every way. At the same time, the acquirer’s network needs to ensure adequate valuation of the deal so that it becomes a sustainable asset. Investment in cybersecurity is, therefore, a critical factor.

Cybersecurity is crucial in all kinds of businesses; it is not limited to tech establishments alone. For example, a restaurant chain is as vulnerable as an e-commerce retail store because consumers use their credit cards for payment. A data breach in either industry can cause enormous losses to consumers and, ultimately, the business.

The vulnerabilities present in untested or unreliable systems acquired as part of M&A, if exploited, could potentially:

  • Affect the day-to-day operations of the merged entity and availability of information systems;
  • Lead to loss of finances, regulatory fines and/or legal repercussions;
  • Damage the morale of both new and existing employees after a M&A has taken place; and
  • Result in reputational damage to the enterprise.

Cyberattacks can compromise much more than just credit card data. For example, an attack on a pharmaceutical producer could compromise a well-guarded formula for a drug, the breach of a manufacturing entity could compromise product designs, and an insecure distribution network might put transportation models at risk. Simply put, cybersecurity issues affect every business model.

How a Data Breach Can Derail a Merger or Acquisition

Data breaches represent one of the greatest risks companies face during an M&A deal, and a breach can reduce the value of an agreement considerably — in some cases, to the tune of more than $350 million, or about 7 percent of the original price.

If a malicious actor hacks into a company’s network, the threat could remain undetected for a long period of time, even when sophisticated cybersecurity systems are in place. When this happens, the merged entity’s security team may not discover the breach until after the M&A deal has closed. That’s why it’s so crucial to conduct a thorough cybersecurity assessment before merging with or acquiring a company.

Even if a company’s bottom line is unaffected by a security lapse, its reputation could take a severe hit. It may be impossible to know just how much data was lost in a breach and, therefore, to assess the resultant damage. What is certain is that data breaches erode customer trust.

Many enterprises have cyber insurance coverage, but whether a firm will actually cover a data breach is a matter of conjecture. Even if insurance does offset the costs associated with a breach, companies need to practice due diligence to keep prices from falling during a M&D deal.

M&A Cybersecurity Assessment Checklist

Business and security leaders should take the following preventive and detective measures to ensure due diligence and vigilance during a merger or acquisition:

  • Conduct a third-party cybersecurity audit of the information systems being acquired to detect any vulnerabilities and assess the current state of cybersecurity.
  • Take careful stock of the organization’s technological assets and liabilities before completing acquisition formalities.
  • Take advantage of third-party services to assess the cybersecurity posture and maturity of the organization being acquired.
  • Proactively assess and monitor the networks, applications and other systems on both the acquirer’s and the seller’s side.
  • Assess the resilience posture of the target acquisition’s third-party vendors.

It is impossible to achieve total, fool-proof protection from enterprise security threats, especially with increasing pressure and competition in the marketplace prompting companies to join forces. However, there’s no excuse for cutting corners on your due diligence when, depending on the size of the companies and severity of any vulnerabilities discovered before, during or after an M&A deal, up to hundreds of millions of dollars — not to mention your customers and reputation — are at stake.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today