Let\u2019s say Company X wants to purchase Company Y. If Company X is smart, it will not only be looking at Company Y\u2019s financials, structure, culture and more to determine value and strategic fit. Company X will also be taking a long, hard look at Company Y\u2019s cybersecurity posture.\n\n\nHow often do the Company Xs of the world \u2014 the buyers \u2014 take that long, hard look at a seller\u2019s cybersecurity capabilities these days? The short answer is, not often enough. Due diligence is too often treated as a defensive strategy that provides a broad, high-level view of the investment \u2014 with cybersecurity often left out in the cold.\n\n\nWhat\u2019s more, when the buyer does look, it often doesn\u2019t look carefully enough. The target may have spent a lot of money on high-end cybersecurity tools and technology. That\u2019s attractive, right? Sure \u2014 if it has been properly implemented, well-maintained, regularly updated, and kept in compliance with all applicable laws and regulations. If it hasn\u2019t, the target may be badly compromised. Post-deal, it will also cost the buyer significant time and money to fix those problems.\n\n\nThe bottom line here is obvious: in mergers and acquisitions, due diligence needs to serve as an offensive strategy that includes a rigorous cybersecurity assessment, to make sure the buyer gets the value it\u2019s paying for. And, before pursuing a divestiture or sale, the seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and sweeten the deal.\n\nBuyer beware\n\nThe fundamental questions for buyers during due diligence, then, are \u201cWhat cybersecurity measures does the target have in place?\u201d and \u201cAre they the cybersecurity measures that should be in place?\u201d Too many companies don\u2019t ask these fundamental questions, and those that do often lack the perspective needed to assess the risk and potential improvement or remediation cost that they\u2019re taking on.\n\n\n\u201cThe single most important thing buyers can do is to get out in front of this problem,\u201d says Micky Houston, Deal Advisory\u2019s Information Technology lead at KPMG. It is vital to establish the maturity of cybersecurity systems of a target before the purchase takes place and examine if the company performs penetration testing, security compliance process validation and regulatory control reviews \u2014 all of this and more needs to be done.\u201d\n\n\nHouston adds, \u201cWhile cyber systems are undergoing those tests, a number of additional factors need to be assessed: the security policy already in place, the structure of the security architecture, the limitations and safeguards for local and remote access, the frequency with which maintenance and updates are applied, who conducts them, and how the client identifies and deals with red flags.\u201d\n\nBest sellers\n\nThis level of due diligence behooves prospective sellers too, who can ultimately maximize their sale price by examining their cybersecurity capabilities. Demonstrating rigorous cybersecurity preparation is a sign of the company\u2019s maturity and instills confidence in buyers \u2014 making the company more marketable and delivering more value to the buyer.\n\n\n\u201cWhen pursuing a transaction, sellers may also carry out their own deep analyses to detect vulnerabilities and identify problematic areas beforehand, ensuring that they have the security processes to assure compliance and a sound structure to perform updates. A seller\u2019s cybersecurity analysis should not only recognize present dangers but also be robust enough to predict and evolve to stay ahead of disasters that could happen during the integration phase.\u201d\n\n\nHouston adds, \u201cSellers should consider not just how secure systems are currently, but also how secure they will remain post-close.\u2019\u201d\n\n\nThe purpose of due diligence has always been to decrease risk for both parties involved in the transaction process, identify value creation strategies that will increase returns, and ultimately, help quantify overall value. When companies include cyber security as a key piece of their due diligence processes, buyers can find the targets\u2019 vulnerabilities and strengths to ensure they get the post-close value they\u2019re looking for, and sellers can enhance their marketability by examining their own systems and finding their own weaknesses.\n\n\nThe most dangerous thing two merging companies can have is a false sense of cybersecurity.