Mergers & Acquisitions Risk Assessment

Conduct due diligence on cyber security for merger and acquisition targets

Organizations pursue mergers and acquisitions (M&A) to develop strategic business advantages as a result of gaining or consolidating personnel, technology or intellectual property. Companies, as part of their due diligence, investigate the potential business impact and risks from the merger or acquisition in a number of areas, including financial, legal and intellectual property. But they don’t always fully explore the consequences of combining the cyber security practices and technologies of two different organizations.



The M&A Risk Assessment helps companies evaluate multiple security programs and address compatibility issues and potential security gaps. FireEye experts analyze and measure the acquisition environment and risk levels across four critical security domains so you can make informed decisions about how to smoothly secure the transitional and post M&A environment.

Our Approach

FireEye evaluates your organization’s cyber security programs across four core security domains:

  • Data safeguards, to examine how the data protection framework helps identify and classify high-risk information assets
  • Access control, to review how policies and procedures reduce the risk of inappropriate access to sensitive data
  • Threat detection and response, to see how current deployments detect, analyze, escalate, respond to and contain advanced attacks
  • Infrastructure security, to understand how endpoints are managed to reduce the risk of compromise

“A close examination of a company’s exposure to cyber risk during the merger, acquisition or investment process is no longer optional. In fact, not doing so — or failing to structure transactions in a way that adequately manages existing and potential cyber threats — invites significant financial and legal challenges further down the line.”

- Brian Finch, Partner and Global Security Practice Co-Chair, Pillsbury Winthrop Shaw Pittman LLP

Cyber security during organizational growth

Combining the cyber risk of two different organizations dramatically increases the risk for both. In addition to different vulnerabilities and security gaps, each organization may have different security priorities that must be reconciled. When reviewing the security maturity and posture of organizations involved in M&A, FireEye can provide deeper insights through supplemental services to clearly identify immediate risk. We offer two types of assessments:

  • Limited Compromise Assessment: a light-touch, technical assessment of the network for signs of anomalous activity.
  • Compromise Assessment: a detailed analysis of the acquisition environment for the presence of past or current attacker activity.

After an acquisition or merger, organizations continue to develop and refine their security program. FireEye and Mandiant can provide customized, continuous monitoring to help evolve an organization’s cyber security posture. Recommended services include:

  • Response Readiness Assessments
  • Threat Intelligence-Based Risk Profiles
  • Tabletop Exercises
  • Security Program Assessments
  • Managed Defense

What you get

  • Two-page report
  • Risk ratings and maturity scores for each company involved in the merger or acquisition
  • High-level recommendations for longer-term improvement

Benefits of Cyber Security Diligence in Mergers and Acquisition

This white paper examines the cyber security risks in mergers and acquisitions and the due diligence that should be standard practice.

Download white paper

Watch Our On-Demand Webinar - Cyber Security: The Achilles Heel of M&A Due Diligence

This webinar details why cyber security due diligence is critical before merging with or acquiring an organization.

Register now