Make Cybersecurity an Essential Part of M&A Due Diligence

It’s not prudent to buy a house without checking its structural integrity. Neither is acquiring a company with shoddy cybersecurity.


There was certainly a bumper crop of mergers and acquisitions last year. It’s a sure bet that before any of the 2015 M&A deals went through, however, the buyers looked very carefully at their target companies. They had gone through a comprehensive appraisal and due diligence process that lasted from a few months to a year. Buyers and their auditors, lawyers and bankers will have had a pretty exhaustive evaluation checklist — audit financials, inspect buildings, validate the value of intangible assets, look at intellectual property and — the step that’s caused about half of my companies some heartburn — determine if all the shareholders can be contacted and notified.

As an investor, I have pretty extensive experience in this process, having been involved in more than 30 acquisitions. One all too common oversight that I make certain is on the checklist is cybersecurity.

Although the pace of M&A activity has slowed this year, it is still a very active market. The media, information, marketing, software and tech-enabled service sectors have seen more than 600 transactions announced, with a total value of $37.4 billion. One thing that jumps out about these sectors is their dependence on technology, connectivity and networks — therefore, assessing their cyberrisk should be high on the due diligence list.

Yet despite numerous devastating stories of security weaknesses causing huge losses, I typically see only the most cursory of efforts to evaluate cybersecurity. I’m not the only one with this observation. As recently as 2014, international law firm Freshfields Bruckhaus Deringer’s survey of dealmakers showed increasing awareness of the cybersecurity risks facing businesses yet a “surprising complacency” about the issue during M&A deals.

Most of us understand that what is learned during the due diligence process will directly affect the price paid for a company. It is key that a target company either has everything in order or that there is a fair price adjustment for the potential disclosed risk that is taken on. It’s simple: Increased risk results in a decreased price.

Without cyber–due diligence, the potential liability from an unforeseen breach can be huge, as can the resulting drop in company value. It isn’t just the risk taken on from the target company that needs to be considered. Connecting an existing network to a newly acquired but flawed one can introduce issues into a previously protected company. It is a business imperative to fully understand the potential impact that the acquisition of an additional network poses and to evaluate fully the potential liability and loss of value and reputation that a weak network infrastructure might produce.


In today’s M&A environment, due diligence must include full disclosure and assessment of a company’s network and security architecture. A company’s digital resilience is an increasingly important, intangible asset. For auditors, lawyers and bankers, this call to action mandates the establishment of a methodology to measure the digital resilience and cyberreadiness of target companies’ networks. The resilience of a company’s network must be taken into account during the due diligence process and when pricing a target company.

Over the past several years, the number of breaches of corporate networks has increased dramatically — as has the number of companies with products to fight off cyberattacks. Surely, with companies’ ever-increasing investment in security, the rate of breach should be in decline. Yet the opposite is true.

Given this unusual dynamic of increased investment in protection not resulting in overall reduction in breaches, how is a company to understand its cyberrisk? Our research shows that C-level executives are overconfident, confused or simply do not have the metrics in place to accurately report their cyberrisk. The C-suite cyberconfidence survey by RedSeal, the Sunnyvale, California, company I head, shows that although nearly two thirds of C-level executives believed they could truthfully assure their board beyond a reasonable doubt that their organization was secure, less than one third claimed to have full understanding of their network infrastructure. This type of disconnect should flash large red flags for anyone undertaking a due diligence process.

So what and how do we measure? Although most companies invest heavily in threat prevention and identification, the most important indicator of a corporate network’s health in the M&A due diligence process is not how much has been invested but how resilient the digital infrastructure is. How quickly and completely can it recover from an attack? That is the key question to answer and quantify. It is this metric that illustrates and quantifies the risk. It is this metric that proves true cyber–due diligence has been done, and enables risk in M&A deals to be measured and accounted for.

When buying or selling a house, only the foolhardy would complete a transaction without surveying the wiring or the framework. Likewise, when analyzing a target company, it is in everyone’s interest to demonstrate and measure digital resilience during the merger and acquisition process.

Ray Rothrock is chairman and CEO of RedSeal, a cybersecurity analytics company in Sunnyvale, California.

Get more on trading and technology.