Need proof of the importance of cybersecurity in the M&A process? You only need to look at the case of Yahoo.

In July 2016, Verizon announced that it would acquire Yahoo for $4.8 billion. Soon after the deal was publicized, however, Yahoo revealed that it had previously suffered two major data breaches affecting more than 1 billion users, the biggest cyber attack in history. The fallout from this declaration forced Yahoo to knock $350 million off the deal’s original price.

Hacks, breaches, and other cyber attacks can seriously damage a company’s reputation and even cause it to go out of business. In order to mitigate the risks that you face as a business, it’s essential to assess your potential M&A partner’s cybersecurity practices during the due diligence stage.

Click below to watch a short video of the blog highlights, or continue scrolling to read the rest of the article.

Questions to Ask During Cybersecurity Due Diligence

To get a full picture of the target firm’s IT security posture, a thorough review is necessary. The questions below are just a few possibilities in order to get the ball rolling.

Has the business previously been compromised?

Businesses that have already suffered a cyber attack are more likely to suffer another one in the future—unless they’ve taken clear steps to address the root of the issue.

There are two main types of tools that savvy companies use to detect a digital break-in:

  • Endpoint monitoring tools: This software is installed on endpoints, i.e. machines such as desktops, laptops, and mobile devices. It monitors the device’s activity for suspicious actions, such as repeated attempts to access a restricted file or multiple transfers of large quantities of data.

  • Network monitoring tools: This software analyzes network activity and historical logs in order to detect anomalous behaviors that may be a sign of a breach.

What are the current cybersecurity measures?

Even if a business hasn’t been compromised in the past, it may be a sitting duck without proper IT security measures.

Solutions such as anti-virus and anti-malware, firewalls, intrusion detection systems (IDS), log management software, and encryption software can go a long way toward keeping your confidential data under wraps. In addition, make sure that the target firm is regularly installing the latest security patches and updates.

How do you deal with insider threats?

By some accounts, insider threats (whether intentional or unintentional) are the biggest cybersecurity risk factor. One study found that 75 percent of security breach incidents are due to insider threats such as disgruntled employees or human error.

Training and education programs are a vital part of lowering the risk of insider threats. For example, all employees should learn how to recognize a phishing email, and also know not to plug in the USB drive that they found in the parking lot.

How will the two entities merge their IT security efforts?

Merging two companies is a highly complex undertaking, and even more complex when discussing technical issues like cybersecurity. You’ll likely have some overlap in terms of software and staff members. However, the IT security merger must occur as soon as possible in order to avoid any “blind spots” during the transition.


A single data breach can wreak havoc on a business, exposing customers’ personal information or confidential patents and trade secrets. Just like other aspects of the due diligence process, cybersecurity is a critical concern during M&A negotiations. Cyber due diligence helps you get a more accurate idea of the target firm’s value and potential risks.

New Call-to-action