During potential Mergers & Acquisitions (M&A), there exists a due diligence period similar to the due diligence period when you are buying a house. Like when you buy a house, the buyer has the opportunity to review, research, and fully inspect the asset. Generally speaking, when people think of M&A due diligence, they naturally think of financial reviews of various financial statements to ensure the price being offered makes sense. What you may not realize is that there should ALWAYS be a cybersecurity assessment of a potential asset as well. As uncovered during a recent ISC2 report, nearly 50% of the respondents said that something uncovered during the security audit caused a deal to be canceled.
Importance of a Cybersecurity Audit as the Buyer during a Merger & Acquisition
- Structural Integrity – Would you want to buy a house if you found out that the house had been infiltrated by termites and the seller wasn’t aware? Would you want to buy a company that had been infiltrated by attackers? It is one thing if the house or company had been breached. the breach was detected, and measures had been taken to remove them and/or remediate the issue. However, if a breach had previously gone undetected, that should raise a red flag.
- Proper Defenses in Place – Is the company you are purchasing properly defending itself against attacks? The last thing you would want to happen is to purchase the company and within the first few months, they suffer a breach that could cripple the now combined company. One should not be so naive to think that they can take the entire defensive strategy that exists for the purchasing company and implement it on the acquired company as soon as the purchase is complete. These things take time and can not be done overnight, leaving the company at risk for some period of time.
- Handling of Prior Breaches – In today’s world, odds are the company you are looking to acquire may have had some form of breach in the past. How was this breach handled? According to the ISC2 report, 88% of the respondents said that the proper handling of a breach (properly remediating vulnerabilities and paying fines) actually increased the company’s value.
Importance of a Cybersecurity Audit as the Seller during a Merger & Acquisition
- Showcase your Security Program – All of the long hours, hard work, and budget disputes for your security program can now be used as an asset during the selling process. Flaunt your program and draw attention to your effective capabilities, of course as long as what you are saying is true. Never lie, hide, or be deceitful during the due diligence process as this could come back to haunt you in the acquisition process.
- Justify your Budget – Having trouble justifying your security budget? Struggling to demonstrate the ROI of your security program? Leverage the possibility of a potential M&A transaction in the future to your advantage. Over 95% of the respondents to the ISC2 survey said that they consider the cybersecurity program to be a tangible asset. Use this fact as part of your long-term strategy and it will pay huge dividends if and when the time comes, with the added benefit of improving you security posture today!
- Don’t be the Bad Apple – As the saying goes, one bad apple can ruin the barrel. Do not be the reason that your company failed to be acquired because of the handling of a prior breach or the immaturity of your security program. Have procedures in place, practice your incident response plan, fight for your ongoing security budget, ensure you are prepared to handle a potential breach, and think long-term for your security program.