Cybersecurity considerations across the life cycle of a deal

Why cybersecurity factors into deal considerations

Businesses today operate in a digital world. This means that technology has a significant role in day-to-day operations, interactions with customers and the integrity of financial information. If an organization has not properly maintained its technology, including the security of that technology, then the fundamentals of a transaction and the associated value of the acquisition could be compromised. In fact, 80% of global dealmakers have uncovered data security issues in at least 25% of their mergers and acquisition (M&A) targets in the previous two years [1].

Additionally, many organizations today outsource all or part of their IT services to third-party service providers. These service providers provide a full spectrum of services from hardware and software installation to managing user access and even helpdesk support. However, just because an organization has outsourced all or part of the IT services does not mean they have mitigated the risk to those services.

Focusing on technology services and cybersecurity concerns during a deal allows the acquiring organization to be more confident in their purchase. Purchasing organizations with a more in-depth understanding of the technology, risks and third-parties supporting their target’s business operations have a stronger likelihood of a successful transition during post-deal closing activities.

Phases of a deal and where cybersecurity factors in

Pre-deal activities

Even before the organization considers the purchase of another company, there are technology and cybersecurity matters to investigate. Using publicly available information on target companies, buyers should investigate whether the target company has:

• Had a publicly disclosed data breach
• A named Chief Information Officer (CIO) or Chief Technology Officer (CTO)
• A designated Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
• A named Data Privacy/Protection Officer (DPO) if data privacy is a concern (e.g., the target operates in Europe or in marketing/retail)
• A privacy policy listed on its website