Another merger, another acquisition, another breach….
Organizations are exposing themselves to undue risk by overlooking cybersecurity implications during the screening and due diligence process of a M&A transaction. A few years ago, cybersecurity due diligence consisted of a set of questions that the acquiring firm presents to the target firm…maybe an on-site visit or a phone call. Today, security is a boardroom issue, and the implications associated with it can seriously diminish the value of a future organization, especially with regard to sensitive data and intellectual property. These have a direct impact on your ability to do business and as a result on the valuation of the deal (Yahoo lost 350MM after disclosure)
Do not overlook these implications or delegate it to the IT team to fix during integration.
At a minimum, organizations should conduct spot checks, SWOT analysis, target external screening through conventional methods (annual filings, disclosures, open source intel) and non conventional methods (cybersecurity rating services?); look at current and previous assessments such as maturity assessments, pen tests, vulnerability assessments, audit findings; and understand the target organization’s program structure(policies, frameworks, org structure, incident response playbooks, staffing structure etc) to analyze the risk landscape that they are most likely to inherit.
Note: YMMV — organizations may have trouble accessing some of this documentation pre-deal depending on who the bigger elephant in the room is and the emphasis on cybersecurity posture.
Cybersecurity is critical to the due diligence process, treat it as a business function to avoid any rude shocks during the process.
Gartner clients can view my newest research and guidance here: