Skip to main content

Due diligence for Mergers and Acquisitions through a cybersecurity lens

As businesses slowly start opening up and moving towards pre-COVID-19 growth levels, Mergers and Acquisitions (M&A) are also gradually reviving. As per the latest M&A trends survey conducted by Deloitte, 61 percent of US deal makers expect M&A activity to return to pre-COVID-19 levels within the next 12 months.[1]

Over the past few years, cybersecurity has started playing a bigger role in M&A. Several acquiring companies suffered hefty losses as they realised the target company’s past data breaches only after completing the final deal transactions. This, in turn, resulted in significant financial fines and reduction in the target company’s overall deal value that could have been avoided if cybersecurity due diligence had been conducted at the initial stage.

In the aftermath of COVID-19, this issue has compounded as M&A transactions depend on collaborative tools and technologies. The shift to remote working, coupled with an increase in data breaches and privacy/cybersecurity regulations across the globe, has shown that cybersecurity is imperative during the entire M&A life cycle.

In this blog, we look at the due diligence process for M&A through a cybersecurity lens and understand its risks and associated challenges.

Understanding the cyber due diligence process

During an M&A transaction, the acquiring company conducts due diligence to better understand the target company’s operations such as finance, technology, HR, supply chain, marketing, and sales. Similarly, the acquiring company conducts cybersecurity due diligence to understand cybersecurity controls and potential risk areas in the target organisation (including any subsidiaries and third-party vendors).

During the due diligence process, the following key cybersecurity-focussed questions need to be asked:

  1. How has the target organisation done in the past in terms of cybersecurity, i.e. have there been any major security incidents, regulatory fines or data breaches?
  2. What are the current security controls in place and how are they performing? Some specific risk areas to consider:
  • Security governance and management
  • Usage of open-source software for critical data processing
  • Cloud security risk (where data is on cloud)
  • Infrastructure risk
  • Intellectual Property (IP) and crown jewel security risk
  • Cyber resilience risk
  • HR-related risk
  • Compliance risk
  • Regulatory risk
  • Data privacy risk

Will the organisation be able to respond to the evolving threat landscape in the future? If not, how much effort is required to enhance its security posture?

Getting an answer to these questions will help the buyer gain an insight into the potential risk areas and anticipate the amount of effort and cost required to fix security issues or make them compliant with the buyer’s security policies.

Challenges faced during the due diligence process

Conducting due diligence requires significant preparation, analysis and research. Some challenges faced while performing the due diligence process include the following:

Getting timely support (in terms of access, documentation, and other details) from the target organisation to conduct due diligence, is essential. The target organisation is often hesitant to provide these details as it could reduce the value of the acquisition or derail the entire process.

In a high-value deal, the time to conduct a due diligence is often limited due to competition from multiple potential buyers.

Although buyers are expected to have conducted the target company’s in-depth analysis, they may be unaware of any past incidents or breaches.

Although buyers are expected to have conducted the target company’s in-depth analysis, they may be unaware of any past incidents or breaches.

There are several tools in the market that can identify potential or unidentified data breaches. However, a vast majority of organisations may restrict access to these tools due to confidentiality reasons.

Organisations need to comply with numerous cybersecurity and data privacy laws and regulations, depending on their industry sector, geographical presence and business type. This makes it challenging for the acquiring company to understand the requirement and its implication in the deal transaction.

In case the buyer is looking to purchase a portion (a few products, market, segment or business unit) of the target organisation, the scope of due diligence needs to be defined and understood. Carve out risks (risk of dependencies on parent organisation for cyber-related services) become significant in this situation.

A due diligence outcome depends on the target company’s interest to sell. The higher the interest, the more chances of the buyer getting a good understanding of the cyber posture. This will enable sound decision-making on the deal.

The intensity of cyber due diligence depends on the use and adoption of technology in the target organisation. Cybersecurity will be more relevant if technology has a dominant role in running and managing the organisation and its business operations.

Understanding the integration strategy planned by the business, in case of an acquisition, helps in better decision-making and risk remediation. The cyber team will have a better view of the future and be better able to answer the question of whether the organisation will be able to respond to the evolving threat landscape in the future? And if not, how much effort/cost is required to enhance the organisation’s security posture to do so?

Identifying applicable privacy cybersecurity laws and regulations (such as PCI DSS, GDPR, and CCPA) is critical for due diligence. The buyer must get an assurance and related artefacts for compliance with regulatory requirements and applicable laws by the target organisation.

What about after the due diligence – post acquisition

Due diligence is only the first step towards any acquisition. When the buyer decides to go ahead with the acquisition, a Seller-Purchase Agreement (SPA) is signed with the target organisation. SPA agreements contain conditions that need to be adhered to, by the target company. Buyers can include any control requirements they would like the target organisation to enforce for any high-risk area identified during the due diligence. After signing the SPA, the buyer needs to abide by certain regulatory approvals before finalising the deal.

Finally, when the deal is closed and publicly announced, technology integration activities are planned and implemented. Most of the deals go through a transition period, wherein, the acquired company moves its technology operations to the buyer’s infrastructure. In certain cases, the technology operations of the acquired companies are kept separate and not integrated. These decisions are usually made by the business steering committee involved in the M&A process, keeping in mind strategic business objectives. However, cybersecurity needs to be embedded irrespective of the integration type. The cybersecurity team should evaluate risks at each stage of integration and manage them in co-ordination with the technology team(s).

Conclusion

Each due diligence exercise is different, and its intensity depends on the factors outlined in this blog. We cannot follow a one-size-fits-all approach. Therefore, pursuing each exercise differently, depending on the nature of the deal but also covering the necessary elements of cyber risk, is important for an effective diligence exercise.

References

https://www.forbes.com/sites/allbusiness/2020/04/17/impact-of-coronavirus-crisis-on-mergers-and-acquisitions/?sh=4a85dc1e200a

https://www2.deloitte.com/us/en/pages/mergers-and-acquisitions/articles/m-a-trends-report.html?id=us:2em:3cc:4dcom_share:5awa:6dcom:mergers_and_acquisitions