Cyber Due Diligence for M&A Transactions

When organizations do not complete a detailed cyber evaluation of target companies before a merger or acquisition, they risk significant financial and legal challenges.

Cyber security image showing a spiral of binary numbers

Mergers and acquisitions give organizations the potential to increase capabilities, diversify offerings and expand market share, but they also present considerable risks. While companies typically review financial, strategic, legal and operational details before completing an M&A transaction, another important concern is often overlooked: cybersecurity.

When organizations do not complete a detailed cyber evaluation of target companies before a merger or acquisition, it can create an unnecessary risk – one that can result in significant financial and legal challenges. A data breach could not only threaten a company’s business assets and functions but also lower its profits, market value and brand reputation, potentially resulting in significant (and costly) litigation and regulatory enforcement actions.

Why is cybersecurity due diligence important?

Conducting cybersecurity due diligence before a merger or acquisition helps companies accurately assess risk before taking on liability as well as identify any issues that might warrant restructuring the purchase agreement. 

Before integrating its network with a target company’s network, an organization should identify the IT assets, systems, software, websites and applications, whether proprietary or third-party, and know how that company’s data or personal information (PI) is stored or processed. These post-acquisition processes are fundamental to building a comprehensive strategy to incorporate or update an acquired business’s information technology post-closing. 

Additionally, for businesses that collect, store or process non-U.S. workforce, customer or consumer data, it is important to understand if that data is generated by, stored in or exported to personnel or servers located in other countries or U.S. jurisdictions. This data may be subject to multiple jurisdictions’ laws, and other regulations might govern whether and how data can be transferred across borders post-merger. 

Given the continuous evolution of cyber threats and data protection laws, due diligence investigations should also look beyond a target’s cybersecurity and compliance programs and focus on the target’s overall culture of information security and data privacy. Although a target company may not be currently violating any data protection laws, it is important to understand and assess whether it has the institutional framework in place to recognize new regulatory requirements and adjust its policies and procedures accordingly. In turn, buyers should determine whether the target has an internal, information governance structure and, if so, whether that structure is capable of effecting meaningful change throughout the organization in response to new cyber and privacy rules and regulations. Organizations with internal information governance structures are often able to easily adapt to changes in the law and to mitigate the monetary and reputational costs related to legal noncompliance.

See also: Cyber Risk and Insurance in 2022

Important cybersecurity due diligence: key questions and considerations

From networks and systems to cyber evaluation to data incidents, there are many considerations that should be part of an acquiring company’s due diligence. The following areas may prove helpful in examining these complex issues:

Networks and systems 

Documentation or information should be provided about the target company’s network and system architecture and data flows, including the use of cloud providers and third-party applications to allow for assessment of a target company’s attack surface and vulnerabilities. This allows for the acquiring company to understand what type of data the target company’s systems store and identify what type of sensitive information (e.g. Social Security and driver’s license numbers, credit/debit card information, health details and usernames/passwords) that can be connected to a specific person the target company’s systems store.

Once it has been determined that the target company stores this type of data, the acquiring company should be assessing the security controls in place that are currently protecting this information (e.g. multi-factor authentication or access controls).

Lastly, the acquiring company should assess and be aware of any on-premise server or cloud storage that holds sensitive personal information. If these servers are owned and operated by third-party service providers, it is important to understand how that vendor manages the target company’s data confidentiality and infosec. Also, it is important to know the use of legacy applications or providers for critical functions that are subject to long-term contracts or those that would be difficult to port to an alternative platform.

Cybersecurity and Technical Controls

The acquiring company should inquire how often the target company conducted privacy impact assessments, vulnerability scans, penetration tests or SOC audits to assess the types of risk the target company face based on industry sector, geographic reach and the nature of the product or services that it manufactures, develops, or provides. This type of inquiry provides the acquiring company a comprehensive understanding of the target company’s security controls leading up to acquisition.  

Furthermore, this type of assessment allows insight into the target company’s data loss prevention program, anti-virus and anti-malware solutions, end-point detection monitoring, multi-factor authentication, geo-fencing, encryption of data, patch management, vendor management and evaluation of the target company’s business continuity or incident response plan, if available.  

It also is important to understand the kinds of educational and training programs the target company has in place to educate its workforce about the importance of cybersecurity and improve its resistance to cyber incidents.

See also: "Micromorts": A New Way to Talk About Risks

Data incidents, complaints and governance

Corporate governance and data incidents are just as important as assessing the target company’s security controls. To round out the acquiring company’s due diligence, it should inquire about prior incidents of unauthorized access to or misuse, modification, exfiltration or disruption of the target company’s information system or proprietary technology systems, including any data stored on those systems and whether those matters were remediated. Also, through the acquiring company’s due diligence process it’s important to understand the target company’s data governance by inquiring about how the target company’s president, CEO, board and other senior leadership view its responsibility within the context of data protection and the frequency with which they initiated cybersecurity training among the workforce.

Although these considerations can be time-consuming, it is important that businesses complete their cybersecurity due diligence before any merger exists. Cyberattacks continue to increase in frequency and severity, and a data breach can be devastating to any organization.


John Butler

Profile picture for user JohnButler

John Butler

John Butler is a director, cyber industry leader at CNA, where Butler collaborates with cross-functional stakeholders in managing the overall cyber portfolio and underwriting strategy.

Butler has worked in the insurance industry for 20 years in various underwriting and leadership roles. He has achieved two insurance designations — RPLU+ and CPLP — from the Professional Liability Underwriting Society.

Read More