Shining a spotlight on cyber due diligence in the M&A landscape

Shining a spotlight on cyber due diligence in the M&A landscape

This is a contributed article from Michael Aminzade, Managing Director of Cyber at 6point6

The digital age has shaken up the world of business over the past decade to the extent that investors now claim "technology drives business". The ability to collect, analyse and harness data has fuelled the success of technology giants like Alibaba and Google who now help drive the global economy. Since data has become a powerful and valuable asset, and more and more companies are becoming reliant on digital technologies to operate their business, cyber criminals have continued to ramp up their attacks, posing a significant threat to businesses.

These developments have now come into play in the Mergers and Acquisitions (M&A) arena. As part of any M&A approach, buyers must consider the threat landscape and any potential issues that may arise from acquiring another company. Yet more than a third (40%) of firms looking to acquire another company have discovered a cyber security issue only after the deal has been done; suggesting cyber due diligence is still yet to become a standardised practice. Below we explore why businesses from all industries must prioritise cyber due diligence during M&As.

Cyber protection

Data breaches and cyber-attacks pose one of the biggest risks to businesses today, according to a World Economic Forum report, so businesses must be equipped with all the necessary tools to prepare for any issues. With companies reliant on data and technology to run their business smoothly and provide the best offering to their clients, executives should look to secure their valuable assets with dedicated cyber teams and be supported by a trusted cyber partner that can mitigate against any weaknesses.

More executives should also take into account the cyber security of a target company during M&As and approach cyber due diligence as they would legal due diligence; protecting themselves from any future potential issues. Companies should be able to rely on a go-to strategy for analysing cyber security pitfalls in the target company, thus allowing them to create a plan of action, and the financial budget to implement on the day of the transaction, completing once ownership has transferred. There should also be a post-acquisition maturity assessment performed to fully understand the cyber landscape and tackle any weaknesses that have come with the organisation that could not be identified pre-acquisition due to the risk of the deal not closing and therefore IP being disclosed per normal M&A constraints.

Assessing threats

The first step for cyber due diligence has to start with evaluating the current threat landscape; including any potential bad actors, external or internal, that might affect either parties in the deal. To mitigate any cyber risks in M&As, acquirers should assess their targets on six key areas including; the existing cybersecurity program; third-party security risk management; security controls for protection and detection; security and privacy controls in products and services; regulated and sensitive data security controls; and the data privacy program.

Contracts that form the financial portfolio of a business increasingly have cyber and compliance requirements built into them, which are therefore directly linked to the value of the company. Low levels of cyber maturity and compliance along with a high level of risk tolerance puts the acquirer at greater risk of a cyber incident, which should be factored into the price point an investor is willing to pay. If these areas are poorly set-up and maintained, then large amounts of investment will be needed to fix the issues and bring them into line with the new owner's tolerance levels. These repairs and improvements should be factored into the purchasing process as contracts could be at risk.

Implementing a strategy

Creating a skeleton cyber strategy that can address items found during discovery is another essential part of cyber due diligence. It also ensures that cyber and compliance requirements can be included in the virtual data room for review and analysis during the sales.

Once the transaction has been completed, a cyber review team should be quickly deployed to perform a deeper dive into the people, process, and cyber controls of the newly acquired entity. This will build out the skeleton into a full cyber strategy that should include three elements. The first, a rapid response assessment which highlights what needs to be fixed within the next 30, 60, 90 days and so on. Phase two should then involve setting up or integrating the correct information assurance governance. Finally, the cyber and compliance programs that are defined in the cyber strategy need to be executed. Businesses can avoid taking unnecessary risks if they plan well and have a base strategy in place in case any surprises are found in the acquired company.

Assessing a target's cyber security should form a core part of the M&A process. Companies always strive to protect their assets, and it should become standard practice that cyber security be considered an important part of a company's protection. The M&A process already aims to mitigate against current and future risks, enabling businesses to budget for any issues identified during the evaluation. However, with the rise of digital dependence, cyber due diligence must be prioritised alongside legal due diligence and become the norm during M&As.

As Managing Director of Cyber at 6point6, Michael Aminzade is responsible for the cyber portfolio of services as well as leading the team of cyber specialists at 6point6, helping companies to establish an industry leading cyber maturity. He has over 20 years of experience within the cyber security, governance, risk and compliance (GRC) industry. Prior to joining 6point6, Aminzade was the VP for Global Compliance and Risk at a large cybersecurity and managed security services provider based in the US and the CISO for a leading payment and commerce solutions provider.


« News roundup: EU urges tech companies to 'do better' as another Russian disinformation campaign comes to light


How big data can fight disease in Africa »

IDG Connect's expert contributors come from across the spectrum of IT and business job titles.

  • Mail