Cyberattacks are becoming more sophisticated, necessitating M&A buyers to conduct more rigorous cybersecurity due diligence. Today, we explore the M&A industry best practices for making cyber security investigations as effective and reliable as possible. Once you finish reading this article, you will learn about the following:
- Three reasons to emphasize cybersecurity due diligence
- A detailed cybersecurity due diligence checklist for evaluating a target company
- Three ways of effectively managing cyber security of multiple vendors of the target company
- A detailed checklist to evaluate security compliance of third-party vendors
- Three best practices to manage potential risks in post-merger cybersecurity
What is cybersecurity due diligence?
Cybersecurity due diligence investigates M&A deals, joint ventures, and partnerships for cyber risks. It aims to identify security vulnerabilities, data privacy issues, compliance concerns, and vendor management risks. Although cyber due diligence is still relatively new and present in less than 10% of M&A deals, it’s critical to every transaction for a few key reasons.
The growing threat of cyber attacks
Cyber attacks are becoming more widespread across all industries and geographies. In fact, global organizations experience over 1,600 cyber attacks weekly. Companies also spend more money on dealing with data breach consequences.
Thus, according to IBM, data breach costs have reached $4.88 million per incident, a 10% increase from 2023. While disastrous in itself, that aggravates other M&A risks, like overpayment and regulatory scrutiny.
Increasing regulatory scrutiny
Regulatory enhancements also raise the stakes of cyber issues during mergers and acquisitions. For instance, in the U.S., several states, including Montana, Texas, Oregon, and Florida, adopted new privacy laws. Appropriate regulatory bodies enforce comprehensive requirements on data breach notices, cybersecurity practices, selling of personal data, and targeted advertising.
Rising dependence on third-party vendors
More companies today are vulnerable to vendor cybersecurity risks than ever before. Thus, an average organization uses 182 third-party vendors, while 58% of such organizations attribute security breaches to vendors, according to BeyondTrust research. Vendor management risks also intensify in large enterprises with thousands of vendors, making them particularly vulnerable to data breaches.
How does cybersecurity due diligence benefit mergers and acquisitions?
Security issues, like zero-day vulnerabilities, can substantially erode value in mergers and acquisitions by causing operational delays, reputational damages, and possible lawsuits.
Unfortunately, such incidents are quite frequent — 80% of global dealmakers uncover data security issues in M&A targets. That makes thorough due diligence reviews, cyber risk mitigation, and comprehensive security governance highly beneficial in M&A deals:
- Avoiding overpayment. Acquirers can adjust deal terms to account for potential expenses upon addressing cyber risks during the due diligence process.
- Reducing legal exposure. Internal risk assessments can offset potential legal liabilities and regulatory penalties associated with data privacy and security compliance.
- Improving vendor compliance. Acquirers can improve vendor compliance by terminating contracts with high-risk vendors inherited during mergers and acquisitions.
- Making risk-based decisions. Acquirers can make more informed decisions about proceeding with deals or walking away when data security risks outweigh the potential benefits.
How to conduct cybersecurity due diligence in M&A: Best practices
A basic cybersecurity process and vendor evaluations should accompany due diligence in all deals. Some transactions, however, require a more rigorous cyber risk assessment. Let’s list them:
- High-value transactions. Mega-mergers, leveraged buyouts, and transactions that comprise a significant portion of the acquirer’s market capitalization typically require rigorous cyber risk assessments.
- Tech mergers and acquisitions. Cyber attacks tend to be more prevalent in tech companies due to complex IT infrastructures and valuable assets.
- Cross-border transactions. Cross-border deals pose unique legislative and regulatory challenges due to the complex nuances of foreign data protection laws.
- High-risk industries. Finance, healthcare, government, energy, and retail companies often hold vast amounts of sensitive data, making them highly risky from a cybersecurity perspective.
- Emerging technologies. Artificial intelligence (AI) and the Internet of Things (IoT) tend to be susceptible to cyberattacks due to their innovativeness and risks of undiscovered vulnerabilities. Virtual data rooms are the best tool as for now to conduct due diligence in the most secure way.
Most secure data rooms
Overall rating:
4.9/5
Excellent
Overall rating:
4.7/5
Good
Overall rating:
4.6/5
Good
Developing risk profiles and making cyber assessments
Creating a target company’s cybersecurity posture helps to understand whether it requires in-depth cyber due diligence. Here is how to create risk profiles for target companies:
- Understand the target company’s industry.
- Estimate the size of the target company.
- Identify whether it handles sensitive data.
Understanding how target companies protect the following sensitive data also helps with risk profiles and substantially aids vulnerability management during and after transactions:
- M&A information
- Customer data
- Sensitive data
- Intellectual property
- Product specifications
- R&D data
- Personal information of executives
To make subsequent cyber assessments, acquirers should create cybersecurity checklists. Let’s explore an illustrative checklist that covers the target company’s main cybersecurity areas.
| Cybersecurity area | Sample cybersecurity checklist |
| Cybersecurity program | Cyber resilience policies Security governance (roles and responsibilities) Cybersecurity audits Cybersecurity compliance certificates Employee awareness initiatives Incident response capabilities Business continuity plan Disaster recovery plan Security licences Cybersecurity incident history |
| Data privacy program | Data privacy compliance (CCPA, HIPAA, GDPR) Data access and usage policies Data retention and disposal procedures |
| Security measures in products and services | Secure practices in product development and software systems Security mechanisms for handling R&D data and product specifications Security options offered to users (like two-factor authentication) Capabilities of alerting users about security incidents Product vulnerability records Details on previous cyber security issues |
| Secure access management | Target’s access management policies At-rest and in-transit encryption mechanisms Access control mechanisms Access monitoring mechanisms Social engineering and phishing protection mechanisms |
| Cyber threat protection and detection controls | Network security mechanisms Intrusion detection and prevention systems Anti-malware solutions Vulnerability management policies Data backup and recovery plans |
| Third-party risk management controls | Third-party data access controls Vendor assessment policies and procedures Vendor monitoring practices and regular risk assessments Incident response coordination practices Results of the latest cyber security procedures Third-party incident records |
Case study: Verizon and Yahoo
The Verizon-Yahoo deal illustrates how cybersecurity due diligence helps acquiring companies reveal external and internal cyber risks and reduce their post-merger impact. Verizon announced the acquisition of Yahoo’s core business in July 2016. A few months later, two massive data breaches that affected three billion Yahoo user accounts were disclosed.
“When asked, Yahoo declined to say whether it first learned of the hack before or after that deal was announced.” The New York Times Magazine
As revealed by investigators, the two cyber attacks happened between 2013 and 2014. Verizon worked closely with third-party cybersecurity services to understand the full scale of data breaches. It was revealed that cybercriminals accessed phone numbers, passwords, and even backup email addresses of “all Yahoo’s user accounts.”
To take into account risks identified during due diligence and offset the impact, Verizon lowered the deal price by $350 million and “split cash liabilities” related to litigation and government investigations. Yahoo, in its turn, faced shareholder lawsuits and SEC investigations following the data breach news, according to Reuters.
Evaluating vendors and managing vendor compliance
Vendor-related security risks, such as supply chain and partner IT infrastructure vulnerabilities, account for 15% of all data breaches. Companies can avoid such issues by choosing responsible and compliant vendors. Building a high-quality vendor network can, though, take years.
Strategic M&A buyers and private equity firms, on the other hand, usually don’t have time to evaluate hundreds or even thousands of vendors that work with target companies. Instead, acquirers adopt balanced approaches to third-party risk assessment.
Evaluating vendor cybersecurity risks
Some vendors, like office suppliers, may pose little cybersecurity risk during mergers and acquisitions. They don’t usually deal with sensitive data or core business operations of target companies. A non-compliant payment processor, on the other hand, is a significant security threat. Consequently, vendors can be categorized by the potential impact they might have during a data breach (high, medium, or low impact).
| Vendor impact | Meaning | Example |
| High impact | Vendors that handle the target company’s sensitive data and support critical business functions | Payment processors Cloud service providers Electronic health record systems (EHR) |
| Medium impact | Vendors that provide essential but don’t handle sensitive data | Help Desk services HR service providers Digital workspaces |
| Low impact | Vendors that don’t handle sensitive data or customer data. | Utility providers Office supply providers Building material suppliers |
Prioritizing vendor cybersecurity evaluation
Evaluating the security compliance of critical vendors can be much more manageable. Let’s illustrate a sample checklist for requesting cybersecurity compliance information from vendors.
| Cybersecurity vendor compliance checklist | Sample checklist item |
|---|---|
| ISO compliance | ISO 27001 (information security) ISO 27017 (cloud security) ISO 27018 (cloud privacy) ISO 9001 (quality management) |
| Regulatory compliance | CCPA (California Consumer Privacy Act) HIPAA (Health Insurance Portability and Accountability Act) HITECH (Health Information Technology for Economic and Clinical Health Act) PCI DSS (Payment Card Industry Security Standard) GDPR (General Data Protection Regulation (for EU)) |
| SOC reports | SOC 1 (financial reporting) SOC 2 (security, availability, confidentiality) SOC 3 (public security) |
| Service level agreements (SLAs) | Clear vendor responsibility clauses Non-compliance penalties |
| Data security controls | Multi-factor authentication AES 256-bit data encryption Role-based access |
| Network security controls | Firewalls Intrusion detection and prevention systems Anti-malware scanning |
Outsourcing vendor due diligence
It’s common for M&A acquirers to outsource vendor due diligence, particularly when large numbers of vendors should be investigated. This approach ensures expert-driven evaluations and saves time for other critical due diligence tasks. Outsourced due diligence can also be scaled to work with multiple targets and large networks of vendors.
Post-merger cybersecurity management
Post-merger security is a significant concern during mergers and acquisitions. According to IBM, one in three companies experience data breaches attributed to post-merger integration. Planning and supervising the IT integration process carefully is often the best way to minimize security issues in the post-transaction phase.
Establishing an integration office
Cybersecurity integration begins with establishing an integration management office (IMO). It consists of the top executives of both companies, including chief information officers (CIOs), chief information security officers (CISOs), and heads of IT departments.
Before integration, IMO should develop a cybersecurity program that envisions the cybersecurity state of the combined company. Security teams can also work on a cybersecurity due diligence questionnaire when creating the security program:
- Will we pursue full or partial integration? How long should it take?
- What is our cybersecurity integration budget?
- What are the current security budgets of the two companies?
- Can our current systems safely ensure robust protection during post-merger integration? Or should we reconsider our security systems to face new challenges?
- What are the critical cybersecurity employees of both companies?
- What are the core security principles of the two companies (security by design, zero-trust security, perimeter security), and which principles will be adopted in the combined entity?
- What are the current security measures of the two companies?
- How do the two companies manage cyber security in respect to their vendors?
- How do the security frameworks, tools, and systems of the two companies overlap? Which consolidation and cost-saving opportunities exist?
- What legal and regulatory requirements should the combined company meet?
- What cybersecurity gaps and imbalances exist between the two companies?
- Can we achieve cyber policy alignment, or should we adopt the acquirer’s approach?
Working on the main cybersecurity directions
An acquirer should work on the main cybersecurity directions during post-merger integration. Let’s observe an illustrative post-merger cybersecurity checklist that covers activities in the main cyber integration directions.
| Post-merger cybersecurity direction | Typical cyber security procedures required |
| Identification | Centralize security governance and security control procedures Align security policies Evaluate attack surfaces Address cybersecurity risks and gaps in the combined systems |
| Detection | Implement intrusion detection and continuous monitoring systems Analyze abnormal activity |
| Protection | Implement security mechanisms: Firewalls Anti-virus systems Access controls Data encryption Multi-factor authentication |
| Response | Develop cybersecurity incident response plans Implement threat containment and analysis systems Test breach communication plans |
| Recovery | Develop business continuity plans Install redundant data centers Test data recovery protocols |
M&A buyers can rely on general cybersecurity frameworks, like the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework, when implementing cybersecurity integrations. However, dealmakers should also consider industry-specific regulations, like HIPAA or FedRAMP.
Implementing cybersecurity systems
From Day One, an acquiring company should engage in the following cyber integration activities:
- Unifying security systems
- Migrating and consolidating data
- Deactivating redundant security applications
- Transitioning to new security applications
- Updating security licenses
- Training employees on cybersecurity awareness
- Updating physical infrastructure to support cybersecurity initiatives
- Implementing role-based access in IT systems
- Implementing endpoint security applications to support malware tracking and identity management
- Implementing vendor monitoring systems
- Obtaining cybersecurity certifications
- Making periodic security audits
Using data rooms for cybersecurity due diligence and post-merger integration
Virtual data rooms (VDRs) are M&A-centric workspaces designed to facilitate deal sourcing, due diligence, and post-merger integration.
“‘Clean rooms,’ where independent parties can analyze key data and sensitive information, have become increasingly important for minimizing cyber risks.” PwC
When working on cybersecurity due diligence and integration, M&A buyers can benefit from the following features of data rooms:
- Cybersecurity compliance. Leading data rooms comply with ISO 27001, ISO 2717, ISO 27018, CCPA, HIPAA, FedRAMP, and PCI DSS, serving as protected and regulatory-friendly dealmaking tools.
- Role-based access. VDRs employ user and document permissions, giving M&A acquirers full control of information flow during the due diligence and integration progress.
- Identity management. Network access controls, strong password policies, multi-factor authentication, and session timeouts facilitate identity management and improve protection against social engineering attacks.
- Automation. VDRs employ automatic data room indexing, automatic file conversions, index upload, AI-powered redaction, and other features that automate and accelerate due diligence reviews.
- Collaboration. Automated Q&A workflows, multilingual access, cross-platform accessibility, and real-time activity tracking enable smooth collaboration of cross-functional teams during due diligence and integration.
Bottom line
- Cybersecurity due diligence investigates cybersecurity programs, security controls, and third-party relations of target companies during mergers and acquisitions.
- Assessing the target company’s vendors based on their cybersecurity impact helps to balance the cost and time investment of cybersecurity due diligence.
- Post-merger cybersecurity management should focus on identification, protection, detection, response, and recovery from cyber threats.
- Using virtual data rooms is among the best ways to improve the quality of cybersecurity due diligence and comply with strict data security regulations.
Visit our main page and choose the best virtual data room provider for making cybersecurity due diligence secure, compliant, and efficient.