How Cybersecurity Affects Mergers and Acquisitions

March 28, 2019

Time to Learn More

Anytime you plan to get involved with something, whether it be a person, place, or thing, you need information —sometimes a lot of information. In the world of mergers & acquisitions (M&A), this process involves taking reasonable steps to learn as much as possible about another company’s strengths and assets, as well as their weaknesses and liabilities. For a time, those liabilities often came in the form of financial debt, messy legal obligations, or poor revenue — but these days, this accountability analysis also includes all data related to a company’s cybersecurity posture.

Potential buyers must understand the critical nature of a thorough cybersecurity review. Digital data and network systems are the very backbone of modern business, and as such, they define the integrity of any enterprise. The way in which companies store their electronic information—and more importantly, how they protect it—must be an analytic priority during due diligence in M&A. This analysis should include any cyber issues, from electronic records to network infrastructure. Not only does this data indicate the viability of a target business, it also gives buyers transparency into existing vulnerabilities and potential security concerns. And when this is done well, it also dictates the way a deal should be structured and evaluated.

The risks buyers take during the M&A process should be readily apparent. Here’s why:

Shared Problems

The truth is, taking on or merging with a separate company, regardless of their evaluation, is always a risk. One of the biggest challenges of due diligence is to remain thorough throughout the process and avoid missing red flags. A poor security posture or a history of cyber breaches often means a company has experienced some significant digital trouble. And these problems do not just disappear when an enterprise is absorbed into a larger one. Instead, they often contaminate the very landscape they were purchased to improve.

Hidden Dangers

One of the most daunting elements of being hacked is the lack of awareness about what it really looks like. Security, by nature, is about vigilance rather than problem-solving. That means companies who haven’t been actively patrolling their digital environment with technologies like endpoint management have likely experienced breaches they are not even aware of. Buyers taking on new enterprises can easily assume damaging liabilities they don’t even see—yet. Cyber-attacks are well-hidden and sometimes invisible for long periods of time, which means a target asset may be losing value even as the deal is being signed. By the time the buyers discover the hack, it’s could be too late.  In the best case scenario for the buyer, the issues are uncovered and used to drive down the cost to account for the risk.  In Yahoo's acquisition by Verizon, the public nature of the breach at Yahoo! led to the value of the acquisition being cut by $350M.


Malware can often be contagious and hard to get rid of. When a network system is breached, malicious software can entangle itself in all sorts of files and application. And unless a thorough digital cleaning and subsequent pen test are performed, this cyber contamination can linger unnoticed or a long time. For buyers, a lack of awareness about the integrity of a target system can translate into contamination to their once-clean system. All it takes is one file to download, and the entire network is considered breached.

Delicate Reputations

Cybersecurity mistakes are costly for everyone. When Target Corporation was compromised and leaked the financial information of 70 million customers, they lost net cumulative expenses of $162 million. But equally as important was the trust they lost from the public. This has been this case with many big fish, like Facebook, Neiman Marcus, and Equifax. And every time it happens, a perfectly good company is tarnished, sometimes forever. Buyers need to remember that business reputations take time to build, and they can be delicate. Taking on an enterprise with a poor cyber stance triggers distrust in customers and can often translate into a loss of revenue for all.

2016 NYSE Cyber Survey Figure 1

Both buyers and sellers are beginning to realize the critical nature of a thorough cybersecurity review in any M&A transaction. According to a 2016 survey report by the NYSE Governance services, the discovery of a major vulnerability these days is not just a problem—it can be a deal-breaker. So, the notion of cybersecurity as secondary goal during the M&A process is simply not realistic anymore.

2016 NYSE Cyber Survey Figure 2


The good news is, companies looking to convey their cybersecurity consciousness to boards, customers and potentially outsider due-diligence teams need only turn to Apptega. Learn how companies are using Apptega to organize their program around industry best practices and cybersecurity frameworks from NIST, CIS, ISO, and the AICPA. Going into an acquisition can be a stressful and anxious time in business, which is precisely why this level of preparedness is so critical. Even if you aren't actively shopping an acquisition, having your cybersecurity house in order by maintaining a strong cybersecurity plan keeps you ready for when opportunities present themselves. Schedule a call with one of our Apptega product specialists to learn more.