August 8, 2016
Let’s say Company X wants to purchase Company Y. If Company X is smart, it will not only be looking at Company Y’s financials, structure, culture and more to determine value and strategic fit. Company X will also be taking a long, hard look at Company Y’s cybersecurity posture.
How often do the Company Xs of the world — the buyers — take that long, hard look at a seller’s cybersecurity capabilities these days? The short answer is, not often enough. Due diligence is too often treated as a defensive strategy that provides a broad, high-level view of the investment — with cybersecurity often left out in the cold.
What’s more, when the buyer does look, it often doesn’t look carefully enough. The target may have spent a lot of money on high-end cybersecurity tools and technology. That’s attractive, right? Sure — if it has been properly implemented, well-maintained, regularly updated, and kept in compliance with all applicable laws and regulations. If it hasn’t, the target may be badly compromised. Post-deal, it will also cost the buyer significant time and money to fix those problems.
The bottom line here is obvious: in mergers and acquisitions, due diligence needs to serve as an offensive strategy that includes a rigorous cybersecurity assessment, to make sure the buyer gets the value it’s paying for. And, before pursuing a divestiture or sale, the seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and sweeten the deal.