Protecting Deal Value: A Cybersecurity Point of View

Managing Cybersecurity-Related Merger and Acquisition Risks

Once typically excluded from the mergers and acquisitions (“M&A”) due diligence checklist, cybersecurity as a list item has gained importance as incidents of data breaches in recent years have rippled through the business world, exposing vulnerabilities in information technology (“IT”) infrastructure and systems and resulting in many millions of dollars in damages.

A successful post-acquisition process entails integrating the IT infrastructure and applications of the two organizations. The data elements to be protected by each organization include sensitive employee/customer information, sources and storage of data, and intellectual property. Despite the paramount importance of these elements, cybersecurity is often minimized on an already lengthy due-diligence list.

Cybersecurity is not often evaluated and prioritized by management with the same rigor as other deal components such as financial, tax, and legal items during both the pre-acquisition due diligence and integration processes. This introduces risks that, if not identified and mitigated early, might have a high impact on value realization.

To help management understand whether either company involved in the transaction falls into a high-risk category from a cybersecurity perspective, listed below are five key questions to ask regarding the transaction:

Is it a cross-border transaction that warrants data compliance considerations such as GDPR?
Is a company with a traditional IT environment acquiring one with a SaaS-, PaaS- or IaaS-based environment?
Is a company with conventional data warehouse/business intelligence capabilities acquiring a company with a focus on Big Data?
Is Internet of Things (“IoT”) capability a fundamental consideration in IT and operations?
Have the companies involved had any notable security incidents in the past that were publicized or subject to litigation?

This paper will focus on M&A-driven IT integration and offer an approach to tackle some of the most pressing issues in the cybersecurity arena.