Return to search

The most underrated M&A landmine: cybersecurity

By Chad Holmes, Optiv

Recent years have seen multiple high-profile instances of “acquisitions gone wrong” due to data breaches during the M&A process.

The most famous of these was in 2016, when an M&A deal between one of the world’s largest telecom companies and a leading internet company was almost derailed by a breach disclosure.

The two companies were able to get the deal back on track — but only after the acquisition target agreed to reduce the purchase price by $350 million, and accept responsibility for all liabilities from shareholder and SEC actions as well as half of any other costs associated with the breach.

This is a spectacular example of how cybersecurity can affect an M&A deal, but it is not uncommon. Every day data breaches cause many less-prominent deals to be restructured or killed.

In some cases, the acquiring company does not learn about the security issues until after the deal closes, sometimes causing the value of the acquired asset to drop to zero if, for example, intellectual property has been stolen or if remediation is egregiously expensive.

How can this happen? Easy: On average a company takes 101 days to discover a data breach, according to the most recent Mandiant M-Trends report. If a breach occurs toward the tail end of the due-diligence process, one can easily see how this nasty detail can rear its head after a deal has closed.

Or if cybersecurity is relegated to an after-closing exercise, as it often is, breaches from months or even years earlier may be discovered after the fact.

Even when security is brought into the due-diligence process, it is often in an insufficient capacity. For example, conducting a penetration test and doing a cursory review of security policies and processes will not give acquirers the information they need to understand the state of cybersecurity in an acquisition target.

To mitigate security risk from M&A, cybersecurity experts must be brought into the due-diligence process early on. This is the only way an acquirer can get a clear picture of the real and potential risks an acquisition target may introduce through its security gaps.

Here are some key cybersecurity steps every acquiring company should take before and during the M&A process:

  • Store a list of the target company’s digital assets, including infrastructure, software, hardware and mobile apps, in a centralized database. This should include a risk score for each asset, based on information such as previous compromises.
  • Gain a complete view of the target company’s third-party ecosystem. Evaluate the security protocols and assurances of each partnership to assess the risk it might introduce.
  • Make sure governance procedures are in place — especially software-development controls for the technology that is being acquired. In addition, the acquiring company needs to examine how it will introduce the new technology into its own organization and maintain compliance.
  • Invest in employee education and awareness. At a minimum, hold a cybersecurity training session with staff from the new organization to outline security expectations and guidelines.
  • Decide in advance whether the target will be fully integrated or operate separately and develop the security strategy accordingly. For example, many security teams prefer to isolate the new group under a zero-trust model for several months as a temporary safeguard.

To see the extent of this problem, just search “M&A due-diligence checklist.” Almost none of the page 1 results even mention cybersecurity as part of the due-diligence process. This needs to change or companies risk acquiring nothing but trouble.

Chad Holmes is chief services and operations officer at Optiv, the Denver-based security solutions integrator that helps clients around the world build and run successful cybersecurity programs. Chad can be reached at