In mergers and acquisitions (M&A), the companies buying or selling need to assess cybersecurity. Credit: Thinkstock Let’s say Company X wants to purchase Company Y. If Company X is smart, it will not only be looking at Company Y’s financials, structure, culture and more to determine value and strategic fit. Company X will also be taking a long, hard look at Company Y’s cybersecurity posture. How often do the Company Xs of the world — the buyers — take that long, hard look at a seller’s cybersecurity capabilities these days? The short answer is, not often enough. Due diligence is too often treated as a defensive strategy that provides a broad, high-level view of the investment — with cybersecurity often left out in the cold. What’s more, when the buyer does look, it often doesn’t look carefully enough. The target may have spent a lot of money on high-end cybersecurity tools and technology. That’s attractive, right? Sure — if it has been properly implemented, well-maintained, regularly updated, and kept in compliance with all applicable laws and regulations. If it hasn’t, the target may be badly compromised. Post-deal, it will also cost the buyer significant time and money to fix those problems. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe The bottom line here is obvious: in mergers and acquisitions, due diligence needs to serve as an offensive strategy that includes a rigorous cybersecurity assessment, to make sure the buyer gets the value it’s paying for. And, before pursuing a divestiture or sale, the seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and sweeten the deal. Buyer beware The fundamental questions for buyers during due diligence, then, are “What cybersecurity measures does the target have in place?” and “Are they the cybersecurity measures that should be in place?” Too many companies don’t ask these fundamental questions, and those that do often lack the perspective needed to assess the risk and potential improvement or remediation cost that they’re taking on. “The single most important thing buyers can do is to get out in front of this problem,” says Micky Houston, Deal Advisory’s Information Technology lead at KPMG. It is vital to establish the maturity of cybersecurity systems of a target before the purchase takes place and examine if the company performs penetration testing, security compliance process validation and regulatory control reviews — all of this and more needs to be done.” Houston adds, “While cyber systems are undergoing those tests, a number of additional factors need to be assessed: the security policy already in place, the structure of the security architecture, the limitations and safeguards for local and remote access, the frequency with which maintenance and updates are applied, who conducts them, and how the client identifies and deals with red flags.” Best sellers This level of due diligence behooves prospective sellers too, who can ultimately maximize their sale price by examining their cybersecurity capabilities. Demonstrating rigorous cybersecurity preparation is a sign of the company’s maturity and instills confidence in buyers — making the company more marketable and delivering more value to the buyer. “When pursuing a transaction, sellers may also carry out their own deep analyses to detect vulnerabilities and identify problematic areas beforehand, ensuring that they have the security processes to assure compliance and a sound structure to perform updates. A seller’s cybersecurity analysis should not only recognize present dangers but also be robust enough to predict and evolve to stay ahead of disasters that could happen during the integration phase.” Houston adds, “Sellers should consider not just how secure systems are currently, but also how secure they will remain post-close.’” The purpose of due diligence has always been to decrease risk for both parties involved in the transaction process, identify value creation strategies that will increase returns, and ultimately, help quantify overall value. When companies include cyber security as a key piece of their due diligence processes, buyers can find the targets’ vulnerabilities and strengths to ensure they get the post-close value they’re looking for, and sellers can enhance their marketability by examining their own systems and finding their own weaknesses. The most dangerous thing two merging companies can have is a false sense of cybersecurity. Related content opinion CEO and CIO cyber disconnect: Fixing the communications breakdown In this new business environment, to help their organizations bolster their cyber security protections and also boost their careers, CIOs must find ways to communicate more effectively and consistently with their CEOs and the board. By Tony Buffomante Aug 21, 2018 5 mins CIO IT Leadership opinion Emerging technology adoption: striking a balance between innovation and risk management Companies that are transforming themselves and enabling emerging and disruptive technologies can take four initial but concrete steps to strike the right balance between innovation and risk management. By Phillip Lageschulte Jul 20, 2018 4 mins Innovation Risk Management Emerging Technology opinion Onshore vs. offshore: 8 trends driving IT support back home When it comes to IT outsourcing, more companies are reporting plans to increase spending nearer to their own shores than u201coffshore.u201d This has several implications for CIOs and IT leaders. By Randy L. Wiele Jun 08, 2018 4 mins Technology Industry IT Skills IT Strategy opinion Comply today and realize value tomorrow: GDPR readiness day one and beyond This blog is dedicated to detailing the capabilities your organization needs to comply with General Data Protection Regulation (GDPR) and, eventually, to operationalize and enhance your privacy compliance and processes. By Tony Buffomante Apr 10, 2018 4 mins Regulation Government Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe