Article
Cybersecurity considerations across the life cycle of a deal
April 23, 2021 · Authored by Brian Nichols
Why cybersecurity factors into deal considerations
Businesses today operate in a digital world. This means that technology has a significant role in day-to-day operations, interactions with customers and the integrity of financial information. If an organization has not properly maintained its technology, including the security of that technology, then the fundamentals of a transaction and the associated value of the acquisition could be compromised. In fact, 80% of global dealmakers have uncovered data security issues in at least 25% of their mergers and acquisition (M&A) targets in the previous two years [1].
Additionally, many organizations today outsource all or part of their IT services to third-party service providers. These service providers provide a full spectrum of services from hardware and software installation to managing user access and even helpdesk support. However, just because an organization has outsourced all or part of the IT services does not mean they have mitigated the risk to those services.
Focusing on technology services and cybersecurity concerns during a deal allows the acquiring organization to be more confident in their purchase. Purchasing organizations with a more in-depth understanding of the technology, risks and third-parties supporting their target’s business operations have a stronger likelihood of a successful transition during post-deal closing activities.
Phases of a deal and where cybersecurity factors in
Pre-deal activities
Even before the organization considers the purchase of another company, there are technology and cybersecurity matters to investigate. Using publicly available information on target companies, buyers should investigate whether the target company has:
- Had a publicly disclosed data breach
- A named Chief Information Officer (CIO) or Chief Technology Officer (CTO)
- A designated Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
- A named Data Privacy/Protection Officer (DPO) if data privacy is a concern (e.g., the target operates in Europe or in marketing/retail)
- A privacy policy listed on its website
The publicly available data points can help identify any potential red flags going into the deal so that buyers can better evaluate the risk of a potential acquisition target.
