Traditionally, due diligence for mergers and acquisitions (M&A) has focused on investigating the selling company’s operations, financials, legal and tax compliance, contracts, and intellectual property. But as technology advances and we increasingly work in the digital realm, cybersecurity due diligence has become crucial to the M&A process.
A high-level view of the seller’s security status isn’t enough. Just because a company invests in the latest cybersecurity technology doesn’t mean it’s properly implemented. It’s important that the buyer conducts a thorough cybersecurity assessment and examines what specific security measures the seller has in place. The results could have a major impact on the buyer’s value of the target company. Remember what happened to Yahoo!? It took a $350 million cut on the deal with Verizon after revelations of security breaches at the web company were reported.
For those on the buying side of a M&A deal, here are five questions to consider during the due diligence process:
Has the selling company suffered any cybersecurity breaches?
If the answer is yes, it’s important to review the company’s response and determine if there are any lingering effects of the breach(es) that could harm your business post-deal. Things like ongoing litigation, potential for future liability, and loss of reputation could be damaging.
Does the selling company have a proper incident response plan in place?
The number and types of cyber attacks in the U.S. continues to grow. It is really a matter of when not if a company will be breached. So, whether or not the target company has suffered a breach in the past, it’s important to evaluate what defenses are in place to mitigate the effects of an inevitable breach. A proper incident response plan thoroughly outlines how the company will respond to various breach scenarios. You want to see that the selling company has made cybersecurity a priority.
Has the selling company implemented an effective internal IT security training and reporting program?
According to research from the International Association of Privacy Professionals, up to 92 percent of all incidents of regulated data exposure are caused by unintentional human error or behavior. During the due diligence process, see if the target company has created a culture of cybersecurity where employees are not only trained on how to spot potential cyber attacks but also how to report them. An open workplace that encourages and even rewards employees for reporting cybersecurity issues goes a long way in mitigating major security problems.
What security agreements does the selling company have in place with other vendors?
As the 2013 Target breach demonstrated, the security status of a company doesn’t just depend on the security measures in place on its own systems. The security of third-party vendors is also a factor to consider. Look at the security agreements the selling company has with its vendors, and ensure they will work for you post-deal.
Have you conducted a thorough cyber risk assessment of the selling company?
In addition to the items above, an overall technology risk assessment is crucial to best evaluate a company’s security posture and determine the organization’s cybersecurity strengths and weaknesses. The assessment should examine important factors like how well the selling company’s security aligns with the Center for Information Security’s (CIS) 20 Critical Security Controls, a set of actionable ways companies can protect themselves from today’s most pervasive threats. It also should evaluate the company’s network environment, physical security, existing policies and procedures, and the access controls in place. The end result is a complete report about the areas that are working well, where the vulnerabilities are, what risks they pose, what must be improved immediately, and what are less serious issues that can be addressed over time. These results will help you spot major red flags, like if the seller neglected to reveal certain risks due to knowledge of being acquired.
Cybersecurity due diligence is quickly becoming a best practice in M&A, allowing the buyer to better determine its value of the selling company. Due diligence shouldn’t fall only on the buyer’s side, though. Sellers should examine their own cybersecurity practices to avoid surprises and enhance their marketability.