Defining Cyber Security Risk in M&A Due Diligence

In our latest blog on the new M&A Risk Assessment service, we discussed why cyber security risk should be accounted for in M&A due diligence. In this blog we define a little more explicitly what cyber security risks look like.

There are standard clauses in purchase agreements to protect the buyer, for good reason. Any litigation, workforce issues, violation of environmental regulations, and other negatives must be known and accounted for, in order for deals to make sense at the agreed-upon price. But cyber security risks are generally unaccounted for.

But what do cybersecurity risks look like? The following are just some of the cyber security risks that buyers can run into:

  • Ongoing Breach: Probably the worst-case scenario – the target company is “owned” by an unknown attacker: any sensitive data or intellectual property might already be gone, and a public relations problem is looming. Not only is the value of the acquisition damaged, but also now the buyer must deal with the fallout, which can be a very expensive undertaking.
  • Unrevealed Previous Breach: The target company suffered a breach in the past that is revealed to the buyer after the purchase. This is similar to the ongoing breach in that valuable data may have been lost, and the intruder could still be in the network.
  • Persistent Intruder: The target company is host to an attacker that maintains their presence in the environment, watching and waiting. Now the purchasing company might be hosting them as well.
  • Disruption Attacks: Over the past year, Mandiant responded to incidents where attackers destroyed critical business systems, leaked confidential data, held companies for ransom, and taunted executives. Is the target company vulnerable to such attacks? What is the threat landscape? Have there been denial of service (DoS) attacks in their past?
  • Dirty Environment: While not necessarily as dangerous as a targeted attack, an environment that shows significant amounts of common malware will need cleaning and improved protection and detection capabilities.
  • Inadequate Security Program: The acquired company has systemic cyber security issues stemming from a weak or nonexistent security program. Weak oversight and guidance will, over time, create vulnerabilities across many security areas that will take time to fix.

If the target acquisition does not have any intellectual property someone else would be interested in, does not rely to any extent on the confidentiality, integrity, or availability of its IT systems, and if customers, stakeholders, and business partners don’t care if a breach happens, then congratulations – you don’t need to be very concerned about cyber security due diligence. For all other situations, though, some level of understanding of cyber security risk can save a lot of trouble and money during and after an M&A.