Why Cybersecurity Due Diligence is Vital in Mergers and Acquisitions

Why Cybersecurity Due Diligence is Vital in Mergers and Acquisitions

Every organization must have a cybersecurity policy that addresses prevention instead of cure. However, no matter the preventative measures being put in place by companies, they could still become a victim of attacks which could become a disaster without a response plan. 

But, having a plan is not enough. Organizations that have a good track record and robust procedures and processes in place will usually secure a higher value than others. This makes it essential for both sellers and buyers in any merger or acquisition to prioritize cybersecurity due diligence.

How to Prepare

To determine the preparedness of a company for a cyber incident, they need to understand its risk profile. There is a wide range of possible risks, including disclosure of confidential data through social media, inadvertent disclosure of business secrets through email, inappropriate use of insecure communication, hosting tools, and services, as well as not identifying cyber attacks through social engineering and emails. It is imperative that organizations have policies and procedures in place to let their employees recognize them. Also, they have to implement technical and organizational measures to repel or prevent these incidents. Should an incident occurs, they should have a rapid reaction task force to reduce losses.

Aspects of Cybersecurity Due Diligence

In the acquisition process, both the acquirer and the target company can start due diligence in terms of cybersecurity early. The reason is that the target company may not have all the information on hand right away and depending on the outcome of the inquiries, the transaction’s direction and price may be impacted. 

For the target company, the information they have on hand may be price-sensitive and have been kept confidential. That is why they need to have a non-disclosure agreement with the buyer before they give such information. Due diligence in cybersecurity often includes the following aspects:

  • Managing data. Before evaluating the data management risk, it’s essential to determine the data the target company holds. Issues can include where the data was acquired, where it is held, the significance of this data to the business, why it’s being held, and the uses of this data.
  • Determining third-party risk. Although all contacts with third parties must be evaluated from a due diligence perspective, such contracts must be investigated to identify if any third party has any degree of access or interface to the systems or data of the target company. 
  • Paying attention to the policies and behavior of the target company towards its workforce. Targeted emails or phishing and lax internal controls can offer a threat to business. Thus, temporary workers, consultants, contractors, and C-suite executives must be included in the evaluation. 


Estela Pfeiffer