Don't Acquire the Data Breach - The Importance of Cybersecurity and Information Technology Due Diligence

Co-Authored by: Eric Fair

As businesses evolve through mergers and acquisitions (M&A), the ever-changing technology landscape continues to provide a challenge to companies and their acquirers. This highlights the ongoing need to perform cybersecurity (cyber) and information technology (IT) due diligence, since it’s critical to understand the nature and significance of the targeted business’s vulnerabilities, the impact of these vulnerabilities and the existing cyber program in place to mitigate potential threats.

Know Before You Acquire

Acquirers must take a risk-based approach to IT due diligence and have a process in place to evaluate the current threat landscape to identify any underlying threats to the business being acquired. The landscape may vary by industry or region, and higher risk transactions require a greater level of scrutiny, but the process can be applied to other businesses in the portfolio and used when assessing new M&A opportunities.

For highly active private equity firms, it’s critical to continuously inject IT due diligence into the transaction lifecycle. This allows such firms to engage cybersecurity or other experts at critical points to more effectively identify and mitigate risk to their potential and existing businesses.

When and What to Assess

Knowing when to inject the right experts is a critical component to any well-run M&A due diligence strategy. Here are a few key indicators to consider when making the decision to inject cyber or other IT experts:

  • Technology is Core to the Business – If the target organization is a technology software or solution provider, IT due diligence is a must. Engage IT experts who understand software development best practices and application security to ensure the systems were built using sound practices and are free from vulnerabilities. Ensure you consider the target organization’s usage of open-source software and code within their solution.
     
  • Secret Recipes Need to Stay Secret – Chances are the target organization may have a unique method, process or technology that’s helped it gain its competitive edge over the years. In that case, potential acquirers may want to know if the target organization has been hacked previously or, theoretically, how easy it would be to hack into their organization. Engage cyber-experts who can review company IT systems and logs to look for indicators of previous breaches or compromise. Also, consider engaging cyber-experts to perform a corporate network penetration test to see how they hold up to common hacker methods.
     
  • Big Brother is Watching – If the target organization is subject to regulatory oversight, there are various risks the organization may be subject to, including legal, financial and operational. For example, in the healthcare industry, noncompliance with Health Insurance Portability and Accountability Act rules can open an organization to major fines as well as additional regulatory oversight and scrutiny.
     
  • Usage of Consumer Data - The impact of emerging regulatory frameworks, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), may have a substantial unrealized future impact on the target organization. Current business practices may be unlawful or impermissible in the future, as the privacy and legal landscape evolves.

Other Areas to Assess

In the ongoing effort to mitigate IT risks in M&A, other areas that acquirers may consider assessing include:

  • Cybersecurity program/framework adoption (NIST, ISO, CIS Top 20, etc.)
  • Third-party risk management and supply chain risks
  • Security controls for protection and detection of threats
  • Security and privacy controls in products and services offered
  • Sensitive data security controls
  • Data privacy programs
  • Prior risk assessments
  • History of data breaches

Potential Impacts

The failure to assess IT risks during M&A transactions can cripple a business’ reputation and future growth before it even starts, through unforeseen and costly technology integrations, unexpected liabilities, inherent data exposure/breach and overall increased enterprise risks. An effective IT due diligence program, then, could have a major impact on the value the acquirer places on the target company and the overall structure of the transaction.

If you have questions related to M&A or IT due diligence for an upcoming transaction, we welcome the opportunity to discuss your specific situation.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Students’ Data Exposed by Pearson Hack
Capital One Data Breach Exposes 100 Million Records to Seattle Hacker
#1 Mobile App Garners Concerns Over Data Privacy
Cybersecurity and nonprofits: Time to button up!
Cybersecurity & Employee Benefit Plans
Slow Start in 2019 for Mergers and Acquisitions

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102