Cyber Due Diligence

Protecting Your Business During a Merger or Acquisition

What’s your target’s cyber health?

“Uncertainty” and “risk” are two words that many business executives use to define the impact of the COVID-19 crisis when assessing an acquisition target’s cybersecurity posture.  However the 451 Research Flash Survey: Coronavirus Impact on Tech Banking, which collected views from some of the industry’s busiest bankers, finds that nearly two-thirds of the busiest bankers expect little to no impact from the pandemic on dealmaking in 2021. Instead, some see the current climate as ripe for companies to evolve either by buying new assets, selling subsidiaries, or raising money to boost their operations.

The Importance of Cyber Due Diligence

With technology at the heart of business, cybersecurity’s importance to individual organizations looms large. In the context of a merger or acquisition (M&A), standard due diligence methods – which assess cybersecurity exposure based on a target’s documented policies – have been proven partially unreliable. These methods are incapable of identifying information being leaked outside the perimeter of the targeted enterprise. This potentially leaking data is an accrued risk for all parties involved. At the onset of building a business, the primary objectives are getting products to market, developing a customer base, and seeing a return on their investment. There is often minimal resource invested in governance, control and compliance. However as the business grows, the importance of security controls to protect the business, particularly when considering a merger or acquisition increases.  The same increased attention to cybersecurity can also be observed when companies are considering divesture a portion of their business. Buyers are keen to know what kind of cybersecurity processes and information controls are in place in the target firm and these only gain in economic relevance during the acquisition process. Having a company with a stable cybersecurity infrastructure provides reassurance to both the buyer and seller. In 2021, as the M&A market comes back to life, many companies will begin critically evaluating the cybersecurity of their businesses. Buyers and sellers will do the same thing – the cybersecurity equivalent of “kicking the tires” to ensure that the policies, practices, and processes have been implemented to stand the test of time.

How to…be ready for Cyber Due Diligence

Mergers and AcquisitionsIn addition to recognizing the value of a firm’s cybersecurity posture throughout the M&A process, there are several additional approaches buying and selling a business can take to maximize the control over their information, inside and outside their firm’s perimeter. Such a holistic approach ideally includes:

Security by design

Security by design is quickly becoming the standard for businesses that want to hone their cybersecurity infrastructure. In this approach, every phase of internal R&D processes – from planning to disposal – are developed with the aim of preventing future cybersecurity risks. Practically, this consists of facilitating the application of least privilege and zero trust policies into a firm’s cyber defence structure, alongside modularity in the design of the security mechanism. 


One of M&A biggest challenges remains IT integration with the target company. With M&A information often shared within small teams for confidentiality, IT departments struggle to visualize and plan for the security environment which will be implemented upon the merger’s completion. This results in lost time and resources for all parties involved. It is fundamental to maximize opportunities for both sides to be on the same page when it comes to cyber security standards. In fact, cybersecurity standards define both functional and assurance requirements within a product, system, process, or technology environment, and solid standards allow consistency among product developers, this serving as a reliable metric when dealing with IT integration. While international cyber security standards such NIST or ISO may be easier to adopt because of their well-established reputation, local security standards must also be considered in M&A processes more related to specific geographical locations.

Adopting a CXO approach

Properly considered, M&A is simply another strategic business decision. In today’s technology-led business environment, a tighter collaboration between C-level executives is crucial for a successful deal, as cyber risks impact not only the security of the firm, but can also imply financial and reputational risks. Challenging the perception that the CEO is and should be the only decision maker when it comes to M&A and expanding the role of the CIO in such M&As assists the organization in driving strategic business conversations towards a more security-minded approach. It also offers a technical perspective on the firm’s cybersecurity confidence during M&A negotiations. This translates into better deals for everyone involved.

Independently assess target’s cyber health

Existing due diligence methods assess cybersecurity exposure based on a target’s documented policies. These methods often lacks information regarding data exposed outside the target’s security perimeter, including: third-party vendors, Shadow IT, and other unknown asset vulnerabilities. An independent evaluation of these unknown risks is crucial when assessing the financial value of the transaction. Doing so not only offers an objective assessment of the target’s cybersecurity exposure, but also provides valuable information regarding the organization’s level of risk in comparison to other firms within that sector. As a result, buyers and sellers are able make an informed decision and draft future strategies for enhancing their firm’s cyber health. CybelAngel’s M&A Cyber Due Diligence Assessment provides a real-world view of a target’s cybersecurity exposure, performing both live and historical scanning & scoring of the target’s data leaks, with visibility across all layers of the internet, including: Connected Storage, Cloud Drives, Clear, Deep and Dark Web, Databases, Code Repositories, etc…all outside the organization’s security perimeter.