When one company seeks to acquire another, or when two businesses contemplate a merger, pre-deal due diligence is intended not merely to ensure that the business is as represented, but also to uncover problems that could expose the acquiring company or merged entity to liability or risk after the deal has been closed. Among the areas subject to increasing scrutiny is a company’s cybersecurity posture. Not only are regulatory bodies at the federal and state level imposing increasingly strict standards on cybersecurity, to say nothing of international requirements, but phishing, ransomware, and malware attacks continue to target businesses of all sizes. Noncompliance or inadequate safeguards on sensitive data can potentially expose companies to significant financial and reputational risk.
Whether your organization is in talks to purchase another, or you’re considering putting your own business on the market, conducting a thorough cybersecurity review to identify and mitigate preexisting vulnerabilities is vital. Otherwise, you may be stuck with steep costs to remediate unanticipated problems or be hit with liability for incidents that can be traced back to poor cybersecurity or undisclosed issues.
Businesses that handle personal or sensitive information are being held to increasingly high standards for protecting that information. Failure to meet applicable compliance standards such as HIPAA, SOC 2, and CMMC can subject violators to steep fines and possibly criminal penalties. In an M&A context, uncovering previous violations can have a significant impact on the terms of a deal or whether it goes forward at all. For example, in 2017 when Verizon acquired Yahoo, the final acquisition price was reduced by $350 million after Yahoo disclosed that it had discovered two data breaches affecting more than 1 billion user accounts.
Even when there is not the red flag of a previous cyber incident to consider, acquiring companies must carefully examine the target company’s current cybersecurity infrastructure and protocols to ensure they meet their own standards. Integrating different cybersecurity systems can include expenses to:
In addition, an acquiring company needs to examine if the target company has a cyber insurance policy in place. They will also need to scrutinize the terms of their own insurance to verify that there will be no gaps in coverage as the deal closes and systems are integrated.
When cybersecurity issues are uncovered during due diligence, they can negatively impact the overall timeline of the deal, introducing delays for further cybersecurity assessments, addressing the vulnerabilities that are uncovered, and obtaining regulatory clearances. These can increase transaction costs as well as eroding the competitive advantage of the target company, perhaps even casting doubt on the viability of the deal.
What can your company do to go into any potential deal with complete information on any possible risks? Here are key steps:
| Step | Key Considerations |
| Identify relevant compliance and regulatory considerations | – Does the acquisition involve healthcare, defense contracting, cross-border transactions, or jurisdictions with specific cybersecurity regulations? |
| Review past cybersecurity incidents | – Has the target company completed system updates and due diligence post-incidents? – Are there lingering third-party claims? – What was the overall impact? |
| Evaluate data storage practices | – Do data storage systems meet current cybersecurity standards? – Is third-party data adequately protected? |
| Review vendor agreements | – Are safeguards like audit requirements, continuous monitoring, and incident response plans in place? – Are privacy disclaimers clear to third-party clients? – Is data ownership and purpose of collection clear? |
| Update incident response plan | – Is the target’s incident response plan fully aligned with your company’s standards and practices? |
If your company is the one seeking to be acquired, conducting a thorough review prior to entering negotiations can help close cybersecurity gaps that could impede a potential deal or negatively affect its terms.
At Right Click, Inc., our staff is experienced in analyzing business IT and cybersecurity to mitigate risk. We can provide an in-depth look at hardware, software, policies, and procedures to give you a comprehensive look into security gaps and solutions to address them. If you need help ensuring that your M&A due diligence is covering the possibility of a cybersecurity risk, contact us here to schedule your consultation today.