Cybersecurity Due Diligence: Now a best practice in Merger & Acquisition (M&A)

Bob Gourley March 14, 2017

Cooley is an international law firm recognized for its technology practice and experience in multiple practice areas, including Mergers and Acquisition (the firm has handled over 1,000 M&A transactions since 2010). In a recent post on the Cooley M&A website titled Cybersecurity Diligence in M&A Transactions, Cooley partners Andrew Lustig and Randy Sabett bring clarity to a clear trend in the marketplace: cybersecurity diligence is now a part of the M&A diligence assessment.

Lustig and Sabett put it this way:

Historically, M&A due diligence focused on “traditional” risk areas such as tax, employment and benefits, intellectual property protection, and contracts (inbound and outbound). As technology advanced and software became a more significant, if not the primary, asset due diligence evolved to include such things as software escrow (where a third party may have copies of a target’s source code) and open source software (where ownership of a company’s source code might be tainted by claims by the open source community) among other things. Specialists with substantive knowledge are now often brought in to perform detailed diligence in these technical areas.
Today, it has become apparent that cybersecurity has become one of the areas where substantive diligence should be conducted not just as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. In fact, according to the “Cybersecurity and the M&A Due Diligence Process – A 2016 NYSE Governance Services/Veracode Survey Report,” 85% of public company directors and officers say that an M&A transaction in which they were involved would likely or very likely be affected by “major security vulnerabilities.” In addition, 22% of those surveyed say that they would not acquire a company that had a high-profile data breach, while 52% said they would still go through with the transaction but only at a significantly reduced value. The Verizon/Yahoo! situation and the recent Telstra/Pacnet deal highlights the importance of cybersecurity diligence and the benefits of having carefully-worded contractual provisions to reflect the parties’ negotiated risk-allocation for cybersecurity breaches after a deal is signed.

We have contributed to cybersecurity assessments on both side of M&A transactions. We have helped acquiring firms better understand the digital risks and security posture faced by the firm they are going to acquire, and we have helped firms that want to be in a better position to be acquired ensure they have taken prudent steps to reduce their digital risks.

If you are on the buy side of an M&A deal, you will want to make sure your cybersecurity due diligence delivers the information you need. This includes:

Information that may point to not yet revealed cybersecurity problems
Estimates of the cost to remediate cybersecurity issues
Information on the risk due to cybersecurity issues, including quantification if possible, since it could impact decisions on whether to consummate the deal or negotiate down the purchase price
Indications of compliance problems
Understanding of security frameworks/approaches
Understanding of the security architecture
Awareness of breaches and how they have been responded to

If you are on the sell side of an M&A the information above should motivate you to focus on your security posture. Other considerations include:

Does your entire executive team understand their role in cybersecurity?
Do you have strong governance (policy, process, leadership) that supports your security compliance requirements (which may well include, for example, the Gramm-Leach-Bliley Act (GLBA), FFIEC, FINRA, FISMA, HIPAA, HITECH, Fair Credit Reporting Act (FCRA), and others
Do you have an up to date, actionable cybersecurity policy? Do you have an incident response plan? Do you have a privacy policy that is actionable and applied?
What is the status of your technical defenses?
Have you had appropriate independent verification and validation of your approach to cybersecurity?

Whether you are on the buy side or the sell side of an acquisition, we recommend you start with a cybersecurity assessment to cover all aspects of cybersecurity people, process and technology.

Also see:

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

Give Your Career A Boost By Learning From Experienced Decision Makers

Our video and audio podcast, the OODAcast, provides content that can help accelerate your career and improve your decision making. The series is based on interviews of some of the greatest most accomplished enterprise technologists we can find. We ask questions designed to pull out lessons applicable to accelerating the career of any professional. We […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Please help spread the word: USNI and NIP Essay Contest: This year’s challenge area a key one for the nation

Please help share the content at this link to any thinker/writer you know: 2020 Information Warfare Essay Contest This contest is open to all contributors, active-duty, military, reservists, veterans, and civilians. Generally the winners have had a solid understanding of the nature of modern conflict, but really any thinkers/writers should look over the contest and […]

Centripetal wins historic $2.6-$3.2 Bil vs. Cisco Systems; largest US patent infringement award to date

Editor’s note: I am proud to say I have a history with Centripetal Networks serving on their board and then later as an advisor. It was horrible to learn that a Tech Titan like Cisco was infringing on their patents. It is good now to see when the facts were reviewed justice was done. -bg […]

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient? HBO has a […]

Related