Co-Authored by: Eric Fair
As businesses evolve through mergers and acquisitions (M&A), the ever-changing technology landscape continues to provide a challenge to companies and their acquirers. This highlights the ongoing need to perform cybersecurity (cyber) and information technology (IT) due diligence, since it’s critical to understand the nature and significance of the targeted business’s vulnerabilities, the impact of these vulnerabilities and the existing cyber program in place to mitigate potential threats.
Know Before You Acquire
Acquirers must take a risk-based approach to IT due diligence and have a process in place to evaluate the current threat landscape to identify any underlying threats to the business being acquired. The landscape may vary by industry or region, and higher risk transactions require a greater level of scrutiny, but the process can be applied to other businesses in the portfolio and used when assessing new M&A opportunities.
For highly active private equity firms, it’s critical to continuously inject IT due diligence into the transaction lifecycle. This allows such firms to engage cybersecurity or other experts at critical points to more effectively identify and mitigate risk to their potential and existing businesses.
When and What to Assess
Knowing when to inject the right experts is a critical component to any well-run M&A due diligence strategy. Here are a few key indicators to consider when making the decision to inject cyber or other IT experts:
- Technology is Core to the Business – If the target organization is a technology software or solution provider, IT due diligence is a must. Engage IT experts who understand software development best practices and application security to ensure the systems were built using sound practices and are free from vulnerabilities. Ensure you consider the target organization’s usage of open-source software and code within their solution.
- Secret Recipes Need to Stay Secret – Chances are the target organization may have a unique method, process or technology that’s helped it gain its competitive edge over the years. In that case, potential acquirers may want to know if the target organization has been hacked previously or, theoretically, how easy it would be to hack into their organization. Engage cyber-experts who can review company IT systems and logs to look for indicators of previous breaches or compromise. Also, consider engaging cyber-experts to perform a corporate network penetration test to see how they hold up to common hacker methods.
- Big Brother is Watching – If the target organization is subject to regulatory oversight, there are various risks the organization may be subject to, including legal, financial and operational. For example, in the healthcare industry, noncompliance with Health Insurance Portability and Accountability Act rules can open an organization to major fines as well as additional regulatory oversight and scrutiny.
- Usage of Consumer Data - The impact of emerging regulatory frameworks, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), may have a substantial unrealized future impact on the target organization. Current business practices may be unlawful or impermissible in the future, as the privacy and legal landscape evolves.
Other Areas to Assess
In the ongoing effort to mitigate IT risks in M&A, other areas that acquirers may consider assessing include:
- Cybersecurity program/framework adoption (NIST, ISO, CIS Top 20, etc.)
- Third-party risk management and supply chain risks
- Security controls for protection and detection of threats
- Security and privacy controls in products and services offered
- Sensitive data security controls
- Data privacy programs
- Prior risk assessments
- History of data breaches
The failure to assess IT risks during M&A transactions can cripple a business’ reputation and future growth before it even starts, through unforeseen and costly technology integrations, unexpected liabilities, inherent data exposure/breach and overall increased enterprise risks. An effective IT due diligence program, then, could have a major impact on the value the acquirer places on the target company and the overall structure of the transaction.
If you have questions related to M&A or IT due diligence for an upcoming transaction, we welcome the opportunity to discuss your specific situation.