Most CFOs don’t expect to see cybersecurity on their due diligence checklist for mergers and acquisitions.
Yet cybersecurity – or a lack thereof – has massive implications for any deal: after all, the average data breach now costs organisations in the ballpark of $4 million, not to mention the potential damage to reputation and revenues when a breach goes public. These are risks that no CFO can afford to leave out of their assessments.
CFOs need to make cybersecurity audits a top priority if they want future M&A activity to succeed.
To do so, they should work with IT to understand what cybersecurity the target organisation currently employs; and how to integrate it with their own cybersecurity infrastructure and policies so that the threat of breaches remains minimal. Here are four tips for doing so:
Audit the network
Before the merger or acquisition gets underway, set a full network and systems audit as one of the transaction’s due diligence conditions.
The offices of the CFO and CIO should work together to review not only the technologies used by the target organisation, but the policies and processes that they’ve implemented to reduce cybersecurity risks.
Cybersecurity documentation can help the CFO identify how well the target organisation responded to previous threats in the past – and if this documentation doesn’t exist, that brings up its own questions of accountability and due process.
A significant number of cybersecurity breaches occur because of employee actions, whether deliberately malicious or simply carelessness. In the lead-up to the transaction taking place, disgruntled employees or those facing termination may decide to throw a spanner in the datacentre or leak sensitive customer information for revenge.
IT teams from both organisations, reporting back to the CFO and CIO, should work together to increase monitoring of networks, systems, and devices for potential malicious behaviour at this time.