Protecting Your Company from Cybersecurity Risk During Mergers & Acquisitions

Companies Can Become Vulnerable During Merger and Acquisition Activity

In this day and age, cybersecurity threats have become ubiquitous in the corporate world, and even more so, as a company undergoes mergers & acquisitions. M&A activities bring about significant changes that are perceived as fertile ground for criminals because they create unusually high opportunities for human error. During the M&A process, policies aren’t always well known or followed, organizational changes run rampant, and technology governance usually becomes lax.

Due Diligence Can Create Vulnerabilities

Investors, customers, and attorneys continue to grow more aware of the cybersecurity risks posed by a merger that can affect both the buyer as well as the seller. “Buy-side” due diligence procedures are evolving to include cyber due diligence to further reduce risk exposure.  Buyers are exposed to potential unforeseen liabilities from past or future disclosure of confidential and private information, as well as the reputational risk that such a breach can have on public perception. As acquired companies integrate into the purchasing company, inherent security risks can become vulnerabilities to the buyer’s current operations.

Sellers aren’t immune from the risk either. Not adhering to industry-standard cybersecurity practices can lead to reduced valuations, and potential breach exposure can impact valuation purchase agreements even further. This can notably be evidenced by the $350 million dollar hit Yahoo took in the 2016 acquisition by Verizon Communication which resulted from three separate data breaches experienced by Yahoo.

SOC for Cybersecurity Can Help

A SOC for Cybersecurity is a third-party attestation rendered by a trusted CPA firm on the description of a company’s cybersecurity program and the design and operating effectiveness of its cybersecurity controls. This can provide significant value for both the buyer and seller of a company by disclosing cybersecurity practices without potentially exposing trade or security secrets. Specific to the seller, this type of examination can be a key differentiator as part of the overall due diligence phase of M&A transactions by substantiating the company’s vigilance over data governance, an area that is certainly becoming more of an at-risk area as reported in the press in recent years.