Cybersecurity Considerations During M&A Phases

In brief: Directors of companies involved in transactions should approach cybersecurity diligence with a two-pronged approach: 1) assess the target company’s cyber risks and their impact on the business deal both during and after the transaction, and 2) prepare for the increased potential of a cyberattack during the transaction itself. This tool, which originally appeared in the NACD Director’s Handbook on Cyber-Risk Oversight, provides steps for performing cybersecurity due diligence before, during, and after the transaction.

This resource can help your board

• Understand how cybersecurity vulnerabilities can pose risks to a deal’s value in both the short and long term.

• Analyze the target company’s cyber risks during the due diligence and deal execution phases.

• Continue to mitigate cyber risks in the integration phase.

Most relevant audiences: directors of companies undergoing a transaction, risk committee members, audit committee members, and chief information security officers.

Companies involved in transactions are often prime targets for hackers and cybercriminals, because the value of confidential deal-related information is high, and the short timelines, high-pressure environment, and significant workloads associated with transactions can cause key players to act carelessly and potentially make mistakes. Cybersecurity vulnerabilities exploited during a transaction can pose risks to the deal’s value and return on investment:

Short-term risks

• Paralyzed operations as a result of ransomware or malware.

• Transaction period might be used by threat actors to gain entry and conduct reconnaissance, an event which often is not detected until well after the deal closes.

• Theft of inside information, including valuations, bids, etc.

• Warranty claims, a change of deal terms, or a reduction in the deal’s value.

• Forensic investigations related to a data breach.

Long-term risks

• Exposure to risk from regulatory and other lawsuits.

• Regulatory investigation and penalties.

• Loss of customers, and associated hits to sales and profit.

• Reputational damage.

• Loss of market share to competitors without a known data breach.

Directors should ask management to conduct a cyber-risk assessment for each phase of the transaction’s lifecycle to confirm that systems and processes are secure, and to quantify the risks that may impact the company after the deal closes, including revenues, profits, market value, market share, and brand reputation.