M&A Cyber Due Diligence is a Rounding Error Compared to the Alternative

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

For companies purchasing an enterprise with substantial digital assets, which is most companies these days, the cost of pre-deal cyber due diligence can be a rounding error. Conducting no cyber due diligence is like buying a house without conducting an inspection. You have no idea how much it’ll take you to fix it post-closing, or whether, in the rare case, the problems are so significant that you should know are biting off massive risk. Pre-deal cyber due diligence enables the buyer or investor to re-price the deal, pass-on the costs of the fixes to the seller(s), or walk away. Just like the financial, environmental, and insurance due diligence done in most M&A deals, cyber diligence can identify, quantify, and protect against taking on excessive risk. While cyber due diligence is not yet routine, companies and private equity firms are increasingly embracing it.

Poor cybersecurity can make an expensive breach more likely or can create regulatory non-compliance that is expensive to fix. As far as breaches are concerned, any company can potentially be broken into with enough effort and time, but if pre-deal due diligence shows that it would be trivial to hack the target company, the chances of a serious breach increase. By recent measurements, the average cost of a data breach is $3.6 million, but damages from big breaches can reach the tens, if not hundreds, of millions of dollars. Fines for breaches under the new EU regulatory schema can be as high as 4% of global turnover. This kind of financial or reputational loss can affect enterprise value.

Pre-deal diligence that shows a company has significant gaps in computer security hardware, software, and talent can help assess the likelihood of breach, quantify the fixes, and produce an understanding of how long the target will remain insecure. These are all factors that directors, officers, and investment committees should consider in advance. This is especially so when the target company is being merged into a more secure network. Who wants to bring cyber “termites” into a house that has none?

Gaps in cyber resilience can also violate the increasing number of local and international data privacy and cybersecurity regulations. There’s the cybersecurity regulation of the New York Department of Financial Services (“DFS”), the Bank of England’s CBEST vulnerability framework, state laws, and the EU’s Global Data Protection Regulation (“GDPR”), to name a few. The DFS regulation requires the CISO or board to certify regulatory compliance, and specifically requires an enterprise security assessment, a threat assessment, processes to determine whether to enable database encryption, multi-factor authentication for remote access, and other specific aspects of a security program. DFS gaps will be expensive to remediate post-deal. The same is true of GDPR violations, which focus on permitted and prohibited cross-border movements of data; and CBEST violations, which, like the DFS regulation, focuses on cybersecurity.

Given that the touchstone for all cybersecurity is identifying and then protecting the digital “crown jewels,” pre-deal cyber due diligence should focus first on whether the company even understands what its key digital assets are, and then whether budget, technology, and skills are aligned with protecting those assets. For example, in healthcare, important concerns that can affect enterprise value are whether the target company is susceptible to mass exfiltration of patient health information, ransomware that can affect the ability to operate, and attacks against notoriously insecure medical devices. In oil and gas, a leading focus should be whether industrial control systems are exposed to manipulation by malicious outsiders. In entertainment, acquirers and investors should be concerned about exfiltration of customer data, the security of pre-release content, and the security of the network operations through which content is broadcast. Across all industries, security is not just a question of what attacks the target company can block, but whether it can detect and respond to an attack—as swift action often decreases loss and protects the value of the enterprise. When source code is the key digital asset, due diligence can involve ensuring that the software development environment is secure, and that the code is not purloined in whole or in part, is not subject to a patent invalidity attack, and is maintainable. For example, if the code is poorly commented and all the conversant developers have departed, the post-close cost of maintaining and improving the code base can be dramatically higher.

Cyber due diligence is a short-term (2-4 weeks), high-level, and thus relatively inexpensive evaluation of the risk presented by the target company’s cyber maturity. It can identify costly risks, opening up the opportunity for buyers to reduce their exposure. Making it part of normal M&A due diligence is bound to happen sooner rather than later. As cyber attacks get more severe—the recent global ransomware attacks being an example—it becomes increasingly clear: ignoring these risks can cost buyers or investors profoundly.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.