Protecting Deal Value: A Cybersecurity Point of View
Managing Cybersecurity-Related Merger and Acquisition Risks
Once typically excluded from the mergers and acquisitions (“M&A”) due diligence checklist, cybersecurity has bubbled up as incidents of data breaches in recent years have rippled through the business world, exposing vulnerabilities in information technology (“IT”) infrastructure and systems, and resulting in many millions of dollars in damages.
A successful post-acquisition process entails integrating the IT infrastructure and applications of the two organizations. The data elements to be protected by each organization include sensitive employee/customer information, sources and storage of data, and intellectual property. Despite their paramount importance, cybersecurity is often underrepresented on what is already a lengthy due diligence list. Cybersecurity is not often evaluated and prioritized by management with the same rigor as other deal components such as financials, tax, and legal, during both the preacquisition due diligence and integration processes. This introduces risks that, if not identified and mitigated early, might have high impact on deal value realization.
To help management understand whether either company involved in the transaction falls into a high-risk category from a cybersecurity perspective, listed below are five key elements to check the transaction for:
- Is it a cross-border transaction that warrants data compliance considerations, such as GDPR?
- Is a company with a traditional IT environment acquiring another with SaaS-, PaaS- or IaaS-based environment?
- Is a company with conventional data warehouse/business intelligence capabilities acquiring a company with a focus on Big Data?
- Is Internet of Things (“IoT”) capability a fundamental consideration in IT and operations?
- Have the companies involved had any notable security incidents in the past that were publicized or subject to litigation?
This paper will focus on M&A-driven IT integration and offer an approach to tackle some of the most pressing issues in the cybersecurity arena.
Senior Managing Director