Another merger, another acquisition, another breach….
Organizations are exposing themselves to undue risk by overlooking cybersecurity implications during the screening and due diligence process of a M&A transaction. A few years ago, cybersecurity due diligence consisted of a set of questions that the acquiring firm presents to the target firm…maybe an on-site visit or a phone call. Today, security is a boardroom issue, and the implications associated with it can seriously diminish the value of a future organization, especially with regard to sensitive data and intellectual property. These have a direct impact on your ability to do business and as a result on the valuation of the deal (Yahoo lost 350MM after disclosure)
Do not overlook these implications or delegate it to the IT team to fix during integration.
At a minimum, organizations should conduct spot checks, SWOT analysis, target external screening through conventional methods (annual filings, disclosures, open source intel) and non conventional methods (cybersecurity rating services?); look at current and previous assessments such as maturity assessments, pen tests, vulnerability assessments, audit findings; and understand the target organization’s program structure(policies, frameworks, org structure, incident response playbooks, staffing structure etc) to analyze the risk landscape that they are most likely to inherit.
Note: YMMV — organizations may have trouble accessing some of this documentation pre-deal depending on who the bigger elephant in the room is and the emphasis on cybersecurity posture.
Cybersecurity is critical to the due diligence process, treat it as a business function to avoid any rude shocks during the process.
Gartner clients can view my newest research and guidance here:
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.