As businesses evolve through mergers and acquisitions (M&A), the ever-changing technology landscape continues to provide a challenge to companies and their acquirers. This highlights the ongoing need to perform cybersecurity (cyber) and information technology (IT) due diligence, since it’s critical to understand the nature and significance of the targeted business’s vulnerabilities, the impact of these vulnerabilities and the existing cyber program in place to mitigate potential threats.
Know Before You Acquire
Acquirers must take a risk-based approach to IT due diligence and have a process in place to evaluate the current threat landscape to identify any underlying threats to the business being acquired. The landscape may vary by industry or region, and higher risk transactions require a greater level of scrutiny, but the process can be applied to other businesses in the portfolio and used when assessing new M&A opportunities.
For highly active private equity firms, it’s critical to continuously inject IT due diligence into the transaction lifecycle. This allows such firms to engage cybersecurity or other experts at critical points to more effectively identify and mitigate risk to their potential and existing businesses.
When and What to Assess
Knowing when to inject the right experts is a critical component to any well-run M&A due diligence strategy. Here are a few key indicators to consider when making the decision to inject cyber or other IT experts:
Technology is Core to the Business – If the target organization is a technology software or solution provider, IT due diligence is a must. Engage IT experts who understand software development best practices and application security to ensure the systems were built using sound practices and are free from vulnerabilities. Ensure you consider the target organization’s usage of open-source software and code within their solution.
Secret Recipes Need to Stay Secret – Chances are the target organization may have a unique method, process or technology that’s helped it gain its competitive edge over the years. In that case, potential acquirers may want to know if the target organization has been hacked previously or, theoretically, how easy it would be to hack into their organization. Engage cyber-experts who can review company IT systems and logs to look for indicators of previous breaches or compromise. Also, consider engaging cyber-experts to perform a corporate network penetration test to see how they hold up to common hacker methods.
Big Brother is Watching – If the target organization is subject to regulatory oversight, there are various risks the organization may be subject to, including legal, financial and operational. For example, in the healthcare industry, noncompliance with Health Insurance Portability and Accountability Act rules can open an organization to major fines as well as additional regulatory oversight and scrutiny.
Usage of Consumer Data - The impact of emerging regulatory frameworks, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), may have a substantial unrealized future impact on the target organization. Current business practices may be unlawful or impermissible in the future, as the privacy and legal landscape evolves.
Other Areas to Assess
In the ongoing effort to mitigate IT risks in M&A, other areas that acquirers may consider assessing include:
Cybersecurity program/framework adoption (NIST, ISO, CIS Top 20, etc.)
Third-party risk management and supply chain risks
Security controls for protection and detection of threats
Security and privacy controls in products and services offered
Sensitive data security controls
Data privacy programs
Prior risk assessments
History of data breaches
The failure to assess IT risks during M&A transactions can cripple a business’ reputation and future growth before it even starts, through unforeseen and costly technology integrations, unexpected liabilities, inherent data exposure/breach and overall increased enterprise risks. An effective IT due diligence program, then, could have a major impact on the value the acquirer places on the target company and the overall structure of the transaction.
If you have questions related to M&A or IT due diligence for an upcoming transaction, we welcome the opportunity to discuss your specific situation.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.