Back to Blog

Assessing Cybersecurity During M&A Due Diligence


When sizing up a potential M&A partner, most organizations focus on practical concerns such as their customer base or new product line.

However, a growing number of companies are also paying close attention to a partner's cybersecurity practices as well. Only 26 percent of executives say that they would consider acquiring a company that has recently suffered a data breach without any reservations.

Few businesses understand the importance of this statistic like Yahoo. In 2016, Verizon announced that it was in talks to acquire Yahoo. During the negotiation process, however, Yahoo announced the discovery of two separate data breaches that exposed information from more than 1 billion of its user accounts. As a result, Yahoo's final purchase price was $350 million less than Verizon had originally announced.

Acquiring another company means not only assuming responsibility for its debts, but also its infrastructural weaknesses such as cybersecurity vulnerabilities. Failing to perform due diligence before signing the deal could expose you to a great deal of business risk.

This article will discuss the 5 steps that you should take to ensure that you properly assess a partner's cybersecurity needs during the mergers and acquisitions process.

1. Check security practices

If you don't know where to start evaluating a partner's IT security practices, use a pre-established standard such as the NIST Cybersecurity Framework. This document describes how to assess an institution's cybersecurity risk in terms of its skills and resources in five functions: identify, protect, detect, respond, and recover. Sectors such as healthcare and retail have their own industry-specific standards, i.e. HIPAA and PCI DSS, for how sensitive personal information should be handled.

2. Check the records

Cybersecurity isn't something that one person sitting in a basement office can handle. Businesses need to keep fastidious records of the IT activities on their company network. Your potential M&A partner should keep user logs and have a detailed inventory of all its hardware, applications, and data.

3. Check the history

Organizations can change, but usually, they don't. Information about a company's cyber history--such as its audit trails, vulnerability assessments, and penetration tests--can be highly indicative of its IT security stance right now. You should also perform your own cyber spot checks and SWOT analyses to evaluate the current situation.

4. Check the budget

If a company takes cybersecurity seriously, it's much more likely to devote a sizable chunk of its annual budget toward solutions such as monitoring tools, antivirus software, and DDoS protection. Make sure that IT security has a set of detailed line items in the budget. Businesses that can't describe what they do in-depth might just be throwing money at the problem, with no idea about best practices.

5. Check the business/IT integration

You can have the best cybersecurity tools your money can buy, but it's not worth much if no one in the organization actually uses them. Solutions should match the needs and workflows of real employees. The discovery of "shadow IT"--employees' use of hardware and software not officially approved by the business--is a clear sign that the company's people and technology are misaligned.


Acquiring a company is about more than the company itself; it also involves the sensitive and confidential data that's newly in your possession. By assuming the responsibility for verifying a potential partner's IT security practices, you'll be protecting yourself against a number of cyber risks.

Choosing an M&A Advisor Webinar