Article
Cybersecurity considerations across the life cycle of a deal
Apr 19, 2021 · Authored by Brian Nichols, Eric Wunderlich
Why cybersecurity factors into deal considerations
Businesses today operate in a digital world. This means that technology has a significant role in day-to-day operations, interactions with customers and the integrity of financial information. If an organization has not properly maintained its technology, including the security of that technology, then the fundamentals of a transaction and the associated value of the acquisition could be compromised. In fact, 80% of global dealmakers have uncovered data security issues in at least 25% of their mergers and acquisition (M&A) targets in the previous two years [1].
Additionally, many organizations today outsource all or part of their IT services to third-party service providers. These service providers provide a full spectrum of services from hardware and software installation to managing user access and even helpdesk support. However, just because an organization has outsourced all or part of the IT services does not mean they have mitigated the risk to those services.
Focusing on technology services and cybersecurity concerns during a deal allows the acquiring organization to be more confident in their purchase. Purchasing organizations with a more in-depth understanding of the technology, risks and third-parties supporting their target’s business operations have a stronger likelihood of a successful transition during post-deal closing activities.
Phases of a deal and where cybersecurity factors in
Pre-deal activities
Even before the organization considers the purchase of another company, there are technology and cybersecurity matters to investigate. Using publicly available information on target companies, buyers should investigate whether the target company has:
- Had a publicly disclosed data breach
- A named Chief Information Officer (CIO) or Chief Technology Officer (CTO)
- A designated Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
- A named Data Privacy/Protection Officer (DPO) if data privacy is a concern (e.g., the target operates in Europe or in marketing/retail)
- A privacy policy listed on its website
The publicly available data points can help identify any potential red flags going into the deal so that buyers can better evaluate the risk of a potential acquisition target.
19% of companies suffered a malicious data breach due to stolen or compromised credentials [2]
Transaction diligence activities
As discussed in the introduction to this article, technology is an integral part of every business function. Studies show that by 2022, 60% of companies involved in M&A activities will consider cybersecurity a critical factor in their due diligence process [3].
As such, the acquiring organization should plan for technology and cybersecurity diligence assessments to uncover hidden risks that would not be discovered during standard diligence activities. Further, technology and cybersecurity diligence allow the buyer to better understand the operating environment of the target organization they are considering and any unexpected investments that will be needed to improve the target’s cybersecurity posture in order to realize the expected return on the investment.
During technology and cybersecurity diligence, buyers should perform the following key activities:
- Interviews with the target’s IT leaders and IT operations team to get a full picture of technology strategy and day-to-day operations
- Review a listing of all hardware and software currently deployed within the environment to assess its age, ongoing maintenance costs and how the organization manages its licensing agreements
- Review agreements with outsourced third-party IT service providers to determine their criticality to the ongoing operations of the business, including ongoing costs associated with those services and how costs may change as the company expands
- Review currently implemented cybersecurity solutions to protect the target’s network, servers, end-user devices, mobile devices and data
- Review the target’s business continuity and disaster recovery plans to determine how it would react to and recover from a disaster or other business disruption
- Review the target’s security incident response plan to determine how it monitors, investigates and mitigates cybersecurity threats
By performing the activities above, the acquiring organization will be more informed about the potential risk areas that may impact deal valuation and will need to be mitigated post-transaction.
Post-close activities
Now that due diligence activities have been performed and the transaction has closed, it is time to implement the recommendations from the reviews. While most organizations focus on key operational and financial activities first, the technology and security risks identified cannot be forgotten as they can significantly impact ongoing business services if left unattended. Although upgrades to hardware and security solutions may not seem as critical as finding new management team members, a business can operate with gaps in its management team, but it cannot operate if its internal systems fail, or a ransomware attack causes the organization to lose access to its data for an extended period of time.
Ongoing and pre-sale activities
IT and cyber threats continue to evolve, and organizations need to continuously monitor changes in their environment and the threat landscape that could cause them to be vulnerable to an attack. This includes ongoing IT and cybersecurity risk assessments. We recommend organizations perform these risk assessments at least annually to determine improvement areas and develop budgets for continued investments. Additionally, organizations should consider annual penetration testing and vulnerability scanning activities to validate the operating effectiveness of their IT procedures and security controls against a cybersecurity attack.
Finally, if an organization is considering the sale of a business unit, having a more secure and stable technology operating environment will make the transaction smoother and provide more confidence to the potential buyer.
Conclusion
Technology and cybersecurity risks are nothing new to business operations. However, they have become an increasing threat to the viability and sustainability of many organizations that have not invested adequately in monitoring and risk mitigation strategies. Whether the focus is on day-to-day operating risks of an organization or purchasing a new business is on the horizon, management of these ever-evolving risks will determine ongoing success and the return on investment.
$2 million = average cost of savings IR teams and IR testing versus no IR teams or testing [4]
For more information on this topic or to learn how Baker Tilly private equity and cybersecurity specialists can help, contact our team.
Source [1] “Venue Market Spotlight.” Donnelley Financial Solutions/ Mergermarket survey, Sept. 2017
Source [2] “Cost of a Data Breach Report 2020.” Ponemon Institute, IBM, 2020
Source [3] “Cybersecurity Is Critical to the M&A Due Diligence Process.” Gartner_Inc. Gartner, 30 Apr. 2018
Source [4] “Cost of a Data Breach Report 2020.” Ponemon Institute, IBM, 2020