- Use Cases
Companies assessing an acquisition target have innumerable measurements to take. From the proposed acquiree’s financial records, product roadmaps, and operational processes, to sales and marketing activities, legal issues, and people procedures, the list of due diligence activities seems endless. And while most companies consider the business benefits of merging two companies’ data records (e.g., customer lists) and departmental systems (e.g., customer database), fewer think about the quality and security state of the technology assets they’re about to inherit. At a deeper, more fundamental level, most companies aren’t even appropriately equipped with a full technology asset inventory of the environment(s) they might acquire.
Nonetheless, failing to obtain a thorough asset inventory and conduct proper IT and cybersecurity due diligence leaves an acquirer open to all flavors of business and operational risk (aside from the obvious cyber risk). According to a survey on acquisitions by Forescout, “Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes, and protocols before their company acquires another company.” What’s more, the study continues to say that only 37% of IT decision makers feel their team is equipped to conduct a cybersecurity assessment for the purpose of acquisition.
Still, as technology is the underpinning of most companies’ operations and the information repositories upon which strategic decisions are made, cyber due diligence is mandatory. Without it, acquirers could miss the insights that put their companies at serious risk — even outside of the cyber realm.
For instance, in 2017 Yahoo! disclosed to then-acquirer, Verizon, that its internet business had suffered three data breaches resulting in the loss of 3 billion customer account records. The acquisition price was thus decreased by $350 million USD. In April 2020, Diamond Eagle Acquisition Corporation renegotiated terms with SBTech, an online betting company, after it was revealed that the acquisition target had been the victim of a recent ransomware attack. The total cost to SBTech: $30 million USD. There are several additional examples in which acquirers had to deal with the fallout from a breach following an acquisition, resulting in time spent, resources drained, and money lost. All because due diligence wasn’t completed. Regardless, new technology integration introduces the potential for vulnerabilities and thus heightened risk.
Cybersecurity due diligence can’t be boiled down to an easy checklist of steps, but there are a few things both potential acquirers and acquirees can do to get ready for a merger or acquisition.
For the acquiring company:
For the to-be acquired company, the to-dos should be focused on the same items and activities to meet your potential acquirer’s needs or demands: