In recent years, cybersecurity hacks have exposed companies to significant losses in revenue and earnings, market cap, class action lawsuits, and brand reputation issues. For executives engaged in M&A transactions, conducting due diligence on cybersecurity vulnerabilities is essential to reveal unknown risks to acquisition costs, deal completion, transaction valuation, and post-merger integration. A recent Forescout report  on M&A transaction risks indicates that 60% of organizations engaging in M&A activity will consider cybersecurity posture as a critical factor in their due diligence process. 

M&A transactions are intended to achieve financial and operational efficiencies, Information Technology cost reduction, economies of scale, market strength, and future growth potential. But these outcomes do face increased risks from acquiring an entity’s cybersecurity, data privacy, and industry/regulatory compliance exposures. Therefore, it’s essential that your due diligence thoroughly assesses cyber risk potential before transaction completion, and again during integration planning and before linking up IT environments.  

The implications of cybersecurity risk can be severe for both the acquiring and merging entity, as we have seen in a few high-profile public cases. 

  • Marriott’s acquisition of Starwood. A couple of years post-acquisition, a security advance persistent threat (APT) was discovered in Starwood’s IT environment that existed for four years prior and resulted in a massive data breach (500 million guest records) that cost Marriott $123M in GDPR fines. 
  • Verizon’s acquisition of Yahoo. Two data breaches came to light during negotiations that hadn’t been disclosed, resulting in a $350m reduction in the purchase price. 

“Conducting a cyber risk assessment during diligence is like buying insurance to protect the deal.”

It’s essential to remember that most cybersecurity problems that impact M&A transactions are revealed under strict NDA and therefore are not publicly reported. The issues can be more mundane that hinder integration and realizing the full potential of what the merger or acquisition has to offer. But if not addressed, these cybersecurity issues threaten not only the success of the transaction to achieve its targets but also put both organizations’ reputations at risk if problems arise. Ultimately, CREO is engaged by its clients to assess cybersecurity risks to reduce surprise and increase confidence in a corporate transaction. CREO’s M&A specialists liken cybersecurity risk assessment to buying insurance to protect a deal.  

Cybersecurity and Compliance Span the Entire M&A Process 

Diligence is when CREO typically conducts most of its cybersecurity investigations. Still, ideally, we advise that it should be considered earlier in the M&A process because regulatory compliance requirements may vary by geography. For example, the EU, the US, and China each have different laws governing data privacy with varying complexity and costs. It’s also important to consider the types of contracts the M&A target holds with its customers. For example, a target company that contracts with US federal agencies may require compliance with FISMA or FedRAMP, which come with heavier security expectations. Other customers or industries may expect SOC 2 or HITRUST certifications which are costly to maintain.

“Cybersecurity and data privacy should be considered starting in the strategy phase.”

During the diligence phase, a cybersecurity assessment of the target is conducted and, often, where some weaknesses and vulnerabilities will be identified that need to be addressed before the deal closes or during post-acquisition integration.  

In the integration phase, many findings can be remediated if they’re identified during diligence and incorporated into an integration plan. Undoubtedly, additional findings will be identified as details of the IT environment are better understood. Therefore, it’s essential to operationalize a plan of action with defined milestones and timelines so that security vulnerabilities and risks to the bottom line are addressed and not lost within the myriad of integration activities. 

 Effectively Evaluating Cybersecurity During Due Diligence

Top pitfalls to avoid during the M&A Process

  • Rushing the cybersecurity assessment or treating it as a check the box step. It should be integral to the process, not an afterthought.
  • Relying too heavily on a self-assessment questionnaire to conduct a risk assessment which may be incomplete or filled with inaccuracies
  • Sharing sensitive diligence information by unprotected email.
  • Failing to understand the target’s high value data assets, where they reside and how they’re being protected.
  • Not understanding the full data privacy compliance exposure that the target introduces.
  • Not considering the implications of the target’s customer base and contractual requirements that may come with security and compliance commitments.
  • Insufficiently planning the integration that will be needed for all functions of the combined complay: IT, HR, shared services, Finance and maybe most importantly culture.

Given the large volume of business information that must be disclosed and reviewed in a relatively short period during diligence, there isn’t enough time to crawl over every inch of an organization’s IT security controls to identify potential exposures and threats. Therefore, conducting a risk-based assessment is essential to focus your time and attention on what matters most. CREO M&A specialists start client cyber assessments by understanding an acquiring company’s tolerance levels across multiple risk dimensions to gain context and perspective before diving into a target entity’s areas of dimensional risks, which often include financial, operational, reputation, and compliance.

For the target entity, CREO starts by taking a top-down look at security and compliance through the lens of the company and what information is most important for achieving desired business outcomes. This requires understanding the company, high-value data assets, and mission-critical systems and processes. We then quickly assess how well the most critical data and systems are protected.  

Additional areas we review include:  

  • Past risk assessments and penetration tests, and follow-on remediation actions 
  • Multi-factor authentication deployment status
  • Privileged users and key person risks 
  • Endpoint management 
  • Credential management for accessing SaaS providers
  • Culture of security awareness  
  • Access control management and adherence to least privilege 
  • How sensitive data is used, stored, and shared  
  • Effectiveness of business resiliency plans, processes, and technologies

As timelines allow, CREO conducts a technical control gap assessment, looking at the various security controls the company should have in place to meet its business objectives. 

We combine these findings of vulnerabilities, analyze by likelihood of occurrence and impact and prioritize them by inherent risk, provide recommendations to remediate, and then determine the residual risk. An action plan follows to ensure that recommended improvements are implemented. 

This approach allows the acquiring entity to line up its target company’s risks against its own tolerance, thereby enabling an effective assessment of the target’s security posture and fit and ultimately feeds into the decision to proceed with the deal or not. 

Tips For a Smooth M&A Process

The M&A process typically occurs during tight timelines and under high pressure, so it’s understandable cybersecurity, and compliance gaps can sometimes be missed during the due diligence step. 

CREO follows a set of procedures to help companies adequately assess risks during the M&A diligence process: 

  1. Take a structured approach. Playbooks are helpful and can be supplemented with subject matter experts. 
  2. Apply a risk management lens. Determine where security is most important and how much is needed to protect the target and its data assets.   
  3. Don’t rely too heavily on security questionnaires and self-assessments. Instead, verify that the target can back up its statements.  
  4. Understand compliance expectations. Both regulatory and industry certifications have unique compliance needs and perspectives.  
  5. View cybersecurity as a journey. No entity has perfect cybersecurity. It does not exist. Understand your maturity level and build a roadmap for improvement.

How Does CREO Help?

CREO relies on its M&A specialists’ expertise and CREO proprietary methodologies to help companies minimize risk exposure and achieve successful M&A outcomes. Our solutions include the following:

  • Due Diligence Management. We manage a timely and thorough due diligence process that drives alignment and accelerates value realization during integration.
  • IT and Cybersecurity Due Diligence Assessments. We identify risks of a target’s IT, cybersecurity, and compliance posture to help add confidence to the deal and reduce surprises before it is signed.
  • Post-Merger Integration. CREO guides organizations through successful integrations that ensure deal thesis realization and establish competencies for future transactions.
  • Divestitures. CREO drives transaction speed, efficiency, and workstream expertise to right-size separation activities and allows business executives to remain focused on building the future.

Contact CREO to discuss how our M&A specialists can help you assess cybersecurity risks as part of M&A diligence. 

Rett Summerville is the Director of Cybersecurity & Compliance at CREO and an expert IT security and risk management leader with over 20 years of experience in information security programs, integrated risk management, data privacy, IT quality, and regulatory compliance. He is passionate about helping organizations improve their cybersecurity maturity, effectively manage risks, improve security awareness, and maintain compliance.