M&A Due Diligence Must Include Cybersecurity Considerations

Mergers and acquisitions (M&A) are a regular occurrence in the business world. And while we’re all familiar with concept of due diligence when it comes to judging the financial performance of another company, it’s time for enterprises to start applying that same level of scrutiny to the cybersecurity capabilities of a potential acquisition. A thorough review of an acquisition’s security architecture, processes and policies should be a firm requirement for any M&A process.

But where should the cybersecurity due diligence process begin? As a CISO, I recommend that companies start by confirming their acquisition target’s past investments in cybersecurity were made in a manner commensurate with the growth of the company.  Ask the following:

• Have baseline investments been made not just in detection controls but also in more proactive and preventative measures to protect data?
• Have investments been made in ensuring that Information Security staff are on hand to support the management of risk?
• Have non-IT employees gone through cybersecurity training?
• Can acquirers establish with confidence that the company being assessed has not already been breached?

Due diligence should be maintained throughout the entire M&A process, particularly before information about the activity goes public. While I don’t have specific numbers, I think it’s safe to assume that there have been situations in which a hacker or less than scrupulous employee have hacked an enterprise network in search of material information they could exploit for their own financial gain before news of an M&A became public. The fallout of such activity could be extreme, so it’s important that acquirers and those looking to be acquired consider and implement the appropriate cybersecurity controls to ensure proprietary information doesn’t leak.

The constant stream of security breaches in the news have gained the attention of executive leadership and boards of directors who are now looking to their CSOs/CISOs to minimize their risk exposure when contemplating major business moves like an M&A.

I would encourage my fellow CISOs (or any other executive looking for guidance and recommendations around cybersecurity policy guidance) to visit SecurityRoundtable.org, a community designed to share best practices, use cases and expert advice to help executives better manage cybersecurity risk.

Lucas Moody

[Palo Alto Networks Research Center]