Back to Blog

M&A Due Diligence & Cybersecurity


Mergers and acquisitions (M&A) are fairly routine deals these days, and conducting a due diligence investigation to identify and rectify potential issues before sealing the deal is obligatory. Although due diligence is an expected part of the process, the scope of the investigation continues to evolve. These days, companies need to scrutinize more than just financials, with matters related to technology and cybersecurity becoming increasingly important. Here are the key aspects of cybersecurity to consider during due diligence:

Technology Utilized

For the due diligence team to get a sense of a company's cybersecurity, they will have to take a look at the type of technology a company is using. This includes any internal systems used to track company financials, products related to sales and customer management, and any kind of software or cloud-based application relied upon to operate the business. In many cases, externally sourced technology is responsible for a company's security breaches, usually because of insufficient security practices. These breaches can have enormous repercussions, so the team will be evaluating the security practices and standards of all of the technology a company utilizes. In the event a potential weakness is identified, a company may have to switch providers or negotiate with the existing provider for improvements. Of course, the investigation will also be examining the security of the servers that are used, as well as company computers and any mobile devices that are used to access important data.

Networks and Connectivity

In addition to the hardware and software utilized, the due diligence investigation will focus heavily on the company's cyber architecture, including the types of networks and connections a company uses to save and transmit data. The security features of these systems should include advanced encryption and layered authentication procedures in order to pass muster. Of course, the due diligence team will also be examining how the networks are accessed, who oversees them, and the IT team's ability to identify and respond to potential breaches. 

Security Standards and Protocols

Companies often mistakenly believe that investing in strong technology is enough to keep data safeguarded. Although that is certainly an important component, there has to be a larger security strategy instituted. And, a company's security standards and protocols must be integrated at the highest levels, not just disseminated amongst the company personnel occupying the IT realm. Companies should not be surprised if the due diligence information requests include references to cybersecurity matters, such as a desire to see the specific, written security practices, action plans for any potential breach, insurance policies in place for such breaches, and so forth.


These days, the strongest of systems may succumb to a breach because hackers have been keeping pace with security advancements and often manage to surpass them. Of course, unscrupulous hackers are not the only ones responsible for these breaches, as company insiders often make inadvertent disclosures or are intentionally compromised. Although deflecting any and all attempts on the company system is ideal, the reality of the security climate may make complete protection rather difficult. As a result, a company's ability to respond and recover from such an intrusion is critical. The due diligence team will likely be checking into a company's plan for these instances and its potential resilience in the face of an attack. Flimsy systems, poor planning, slow responses, and inadequate budgeting will be red flags, and if they do not kill a deal altogether, they will certainly delay it.

New Call-to-action