Cybersecurity: A Crucial Due Diligence Component in M&As
We are a digitally dependent society. No big secret there. But a corporate acquisition strategy that overlooks this basic fact runs the risk of ignoring a key piece of the due diligence puzzle. Acquiring companies go to great lengths to assess the financial performance of a potential target company. What frequently falls under the radar is a company’s cybersecurity strength.
Data security breaches on the rise
Data security breaches at corporations rose by more than one-third in 2015, resulting in an average total loss of $2.5 million per incident, according to a recent Wall Street Journal article. “It’s no surprise, then, that 88% of US CEOs are worried that cyber threats could impact growth prospects,” WSJ said, citing a 2016 PwC survey of global CEOs.
An acquiring company needs to know just as much about a target’s cybersecurity infrastructure as it does about its financial performance. What cyber risks are you undertaking if you acquire the target? How will cybersecurity issues be managed? Thoroughly review your target’s security architecture.
Six preliminary cybersecurity questions to consider:
Has your target company made investments in both detection controls and preventative measures to protect sensitive data?
Is the target company’s information security staff prepared to support and manage potential risks?
Have non-tech employees been adequately trained in cybersecurity disciplines?
Can you know for sure that your target company has not already suffered a data breach?
Have insider threats been mitigated?
Have appropriate third-party controls been established?
It’s more than just corporations that are being targeted. Hackers have attempted to exploit the computer networks of dozens of M&A law firms in 2016 alone. So it’s equally important to vet third parties as well in every deal. Choose vendors with only the strongest data security records to ensure that cyber threats remain on the outside of the M&A process.