Cybersecurity and M&A: Three Answers You Need Right Now

If you’re starting or even just considering a merger or acquisition, there are three cybersecurity questions you should be asking. Even more important are the answers to those questions, which we’re providing below. And if you’re already undergoing M&A activities, then keep reading and make sure you’re addressing your cybersecurity due diligence needs!


1. Why is cybersecurity due diligence important for M&A?

During mergers and acquisitions (M&A), companies need to ensure that they are not acquiring any potential cybersecurity risks. Cybersecurity due diligence helps to identify any potential risks associated with a company that is being acquired, allowing the acquiring company to make an informed decision. An acquiring company is typically looking to assess risk in the following areas:

  • Protecting sensitive information: Companies collect and store a vast amount of sensitive information, such as financial information, personal data, and intellectual property. If this information is compromised, it can result in significant damage to the company’s reputation or financial loss, which may lead to a lower valuation of the target company.
  • Legal compliance: Many industries are subject to regulatory requirements regarding the protection of sensitive information. Failure to comply with these regulations can result in fines, legal liability, and damage to the company’s reputation. Cybersecurity due diligence helps to identify areas where a company may be non-compliant and ensures that appropriate steps are taken by the target company to meet legal requirements before acquisition.
  • Business/operational integration: Many companies have successfully completed an M&A “on paper” but the true test of a successful M&A is how well the merged entity goes on to integrate their operations and expand their business. Cybersecurity due diligence helps ensure a smooth integration of IT infrastructure by identifying critical cybersecurity risks and threats that may occur during the integration process, and addressing them before they can become problems.

2. When should you conduct cybersecurity due diligence?

Cybersecurity due diligence is not just a pre-acquisition activity. Cyberthreats can and do happen at any time during the acquisition process whether pre-, post- or mid-, since cybercriminals do not stop probing for weaknesses just because the legal or financial paperwork has been completed. We recently conducted cybersecurity due diligence for a customer who had already acquired a company and was in the middle of their IT integration. While it might seem too late to perform due diligence, this customer was very prudent in wanting “to make sure we did not acquire a rotten apple.” Within 24 hours, CybelAngel’s team discovered that the acquisition target had suffered a recent ransomware attack and their documents had been exposed on the dark web. The fact that the documents were available meant that the attack took place at least a few weeks ago, as there is usually some latency between the attacker asking for ransom and releasing the ransomed information, to allow time for negotiations. It was extremely foolish and risky for the acquisition target to not disclose the fact that they were ransomed. The acquiring company would have found out sooner or later, so they were only delaying the inevitable while exposing both companies to tremendous risk. Damage had already been done by confidential documents being exposed, but the potential future damage is even greater: The two companies were about to integrate their IT infrastructure, which included servers and computers that had been infected with ransomware. What if the attacker was still inside the network? The risk of the merged entity suffering another attack is a very real possibility. Most companies that were victims of ransomware attacks are often targeted again, sometimes from the same ransomware group.[1]

3. Which industries have the most cybersecurity risks during M&A?

CybelAngel has conducted extensive research on how cybersecurity risks vary across industries during M&A. Our findings showed that the most at-risk industries are:

  • Energy
  • Heavy industries
  • Construction & manufacturing
  • Financial services

This is not surprising, as M&A in these industries often have the highest stakes. Energy and financial services had the highest M&A deal values in 2021.[2] Financial services, in particular, had both one of the largest volume of deals and some of the largest deals of 2021.[3] However, it is important to note that no industry is completely risk free. Different industries have different risk factors due to the nature of their businesses. The results are summarized in this infographic if you are interested to learn more: M&A Risk by Industry infographic sample