Mergers and acquisitions give organizations the potential to increase capabilities, diversify offerings and expand market share, but they also present considerable risks. And while companies usually review financial, strategic, legal and operational details before completing an M&A transaction, another important concern is often overlooked: cybersecurity.

When organizations don’t complete a detailed cyber evaluation of target companies before a merger or acquisition, it creates an unnecessary risk – one that can result in significant financial and legal challenges. A data breach could not only threaten a company’s business assets and functions, but also could lower its profits, market value and brand reputation, and result in significant (and costly) litigation and regulatory enforcement actions.

Why is Cybersecurity Due Diligence Important?

Conducting cybersecurity due diligence before a merger or acquisition helps companies accurately assess risk before taking on liability, as well as identify any issues that might warrant restructuring the purchase agreement.

Before integrating its network with a target company’s, an organization should identify the IT assets, systems, software, websites and applications, whether proprietary or third party, and how that company’s data or personal information (PI) is stored or processed. These post-acquisition processes are fundamental to building a comprehensive strategy to incorporate or update an acquired business’s information technology post-closing.

Additionally, for businesses that collect, store or process non-U.S. workforce, customer or consumer data, it is important to understand if that data is exported to personnel or servers located in other jurisdictions. Various data protection legal regulations may be implicated and could affect whether and how data can be transferred post-merger.

Given the continuous evolution of cyber threats and data protection laws, due diligence investigations should look beyond a target’s cybersecurity and compliance programs, and also focus on the target’s overall culture of information security and data privacy. Although a target company may not be currently violating any data protection laws, it is important to understand and assess whether it has the institutional framework in place to recognize new regulatory requirements and adjust its policies and procedures accordingly. In turn, buyers should determine whether the target has an internal, information governance structure, and if so, whether that structure is capable of effecting meaningful change throughout the organization in response to new cyber and privacy rules and regulations. Organizations with internal information governance structures are better able to adapt to changes in the law, and to mitigate the monetary and reputational costs related to legal noncompliance.

Important Cybersecurity Due Diligence: Key Questions and Considerations

From networks and systems to cyber evaluation to data incidents, there are many considerations that should be part of an acquiring company’s due diligence. The following questions may prove helpful in examining these complex issues.

Networks and Systems

  • Can documentation or information be provided about the target company’s network and system architecture and data flows, including the use of cloud providers and third-party applications?
  • Do any of the target company’s systems store any information that can be connected to a specific person? What about sensitive personal information such as social security and driver’s license numbers, credit/debit card information, health details, and usernames/passwords?
  • If yes, what security controls are in place to protect this information (e.g., multi-factor authentication or access controls)?
  • Does the target company have an on-premise server or use cloud storage for sensitive personal information?
  • Does the target company use any legacy applications or providers for critical functions that are subject to long-term contracts or that would be difficult to port to an alternative platform?

Cybersecurity and Technical Controls

  • What types of privacy/cybersecurity risks does the target company face given its industry sector, geographic reach and the nature of the products or services that it manufactures, develops or provides? How often does it undertake and update its risk assessments?
  • Has the target company conducted any privacy impact assessments, vulnerability scans, penetration tests or SOC audits in the last 24 months?
  • Does the target company have any internal reports on cybersecurity events, reports from external forensics or law firms, or any other evaluation, impact assessment or questionnaire?
  • Does the target company have a written information security program/policy, business continuity plan or incident response plan? 

Data Incidents and Complaints

  • Does the targeted company have processes and procedures for intaking, processing, and responding to data requests from its customers, vendors, and regulatory officials?

Data Governance

  • Has the target company established an intra-company working group or steering committee to address data privacy and cybersecurity issues?
  • Does the company have a process to track, anticipate, and respond to new data privacy and cybersecurity regulations?
  • How does the President, CEO, Board, and other senior leadership within the target company view its responsibility within the context of data protection?
  • Has the company appointed a data protection officer, a data privacy champion, a chief information security officer, or other personnel who are delegated authority to oversee the day-to-day data processing activities of the company?
  • How often does the targeted company initiate cybersecurity training among the workforce?

Although these considerations can be time-consuming, it’s important that businesses complete their cybersecurity due diligence before any merger exists. Cyberattacks continue to increase in frequency and severity, and a data breach can be devastating to any organization.

Meet the Author

John Butler, RPLU+, CPLP, Director – Cyber Industry Leader at CNA Financial

At CNA, John collaborates with cross functional stakeholders in managing the overall cyber portfolio and underwriting strategy to achieve growth and profitability.

John has worked in the Insurance industry for 20 years in various underwriting and leadership roles.  He has achieved two insurance designations, RPLU+ and CPLP, from the Professional Liability Underwriting Society, reflecting his commitment to the Professional and Cyber Liability insurance industry.