Blog post

Cybersecurity Is Critical to the M&A Due Diligence Process

By Sam Olyaei | May 01, 2018 | 0 Comments

Security of Applications and Datasecuritycybersecurity

Another merger, another acquisition, another breach….

Organizations are exposing themselves to undue risk by overlooking cybersecurity implications during the screening and due diligence process of a M&A transaction. A few years ago, cybersecurity due diligence consisted of a set of questions that the acquiring firm presents to the target firm…maybe an on-site visit or a phone call. Today, security is a boardroom issue, and the implications associated with it can seriously diminish the value of a future organization, especially with regard to sensitive data and intellectual property. These have a direct impact on your ability to do business and as a result on the valuation of the deal (Yahoo lost 350MM after disclosure)

Do not overlook these implications or delegate it to the IT team to fix during integration.

At a minimum, organizations should conduct spot checks, SWOT analysis, target external screening through conventional methods (annual filings, disclosures, open source intel) and non conventional methods (cybersecurity rating services?); look at current and previous assessments such as maturity assessments, pen tests, vulnerability assessments, audit findings; and understand the target organization’s program structure(policies, frameworks, org structure, incident response playbooks, staffing structure etc) to analyze the risk landscape that they are most likely to inherit.

Note: YMMV — organizations may have trouble accessing some of this documentation pre-deal depending on who the bigger elephant in the room is and the emphasis on cybersecurity posture.

Cybersecurity is critical to the due diligence process, treat it as a business function to avoid any rude shocks during the process.

Gartner clients can view my newest research and guidance here:

Leave a Comment