Addressing Cybersecurity Risk During Mergers and Acquisitions

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Mergers & Acquisitions

Because mergers and acquisitions expose companies to substantial cybersecurity risks that must be assessed during the due diligence phase and managed throughout the operational integration phases they must give attention to the area so that with the proper tools, careful planning and trusted third party validation, those risks can be significantly reduced, the authors write.

By Ryan Vela and Steve Hunt

Ryan Vela is vice president of Fidelis Cybersecurity in Dallas.

Steve Hunt is president and chief operating officer of DB Networks Inc. in San Diego.

Mergers and acquisitions (M&A) expose companies to substantial cybersecurity risks that must be assessed during the due diligence phase and managed throughout the operational integration phases. As the size and complexity of mergers increase, so do the cybersecurity challenges. Although many of these risks are well understood and have established mechanisms to manage them, certain cybersecurity risks are unique to individual organizations and present an often under addressed form of M&A risk. For example, chronically weak security practices increase the possibility of pre-existing breaches and infected systems infiltrating the entire new organization.

These vulnerabilities can result in significant risk to an acquiring company. Protecting the new entity from the potential financial losses associated with these cybersecurity risks should be a key element of M&A risk management.

Assessing Security Risks

It is important to understand not only the key information technology (IT) infrastructure and operational risks to the company, but also the security risks associated with breaches and data loss.

During the assessment phase, there are several key elements that must be addressed. Chief among these are the nature and scope of the IT infrastructure, the exposure it has to outside interfaces and the security mechanisms in place to protect the company's systems and data. As an example, non-intrusive database infrastructure assessment products can automatically discover the acquisition target's databases and their connected applications. Such tools can significantly reduce the legwork required when documenting and validating the state of the IT infrastructure, in addition to securing the network moving forward.

Prior to joining together the two companies' IT infrastructures, the acquiring company should have a thorough understanding of what is moving into their network, because this can also introduce substantial risk. For most M&A transactions, this is an operational set of goals to ensure availability and confidentiality of information in the networks. Issues need to be resolved, such as how will employees securely collaborate across the two organizations' networks, or how will firewalls be connected so that human resources and finance can collaborate? While these operational questions are important, the scope of the issues goes well beyond. Questions such as how many domain administrators do they have and what is the activity level of the domain administrators are of importance. Also, are only authorized users, applications, and systems actively functioning on the network?

Operational and security personnel can address many of these issues during due diligence. For additional checks and balances, an assessment and attestation as to the security of the networks must also be made. In as little as two weeks, a trusted third party can provide an assessment of the networks, including areas of cyber security risks such as suspicious or malicious activity.


Even seasoned IT veterans find the M&A cybersecurity risks challenging. Dave McCandless, Vice President IT at Navis LLC recalls, “The M&A process can be extremely stressful to both the acquiring and acquired IT organizations. Both teams need to ensure they agree on an accurate analysis of the information asset landscape so that areas of potential risk can be accurately identified. If, for example, the company being acquired has a license for 100 databases, then the audit process will confirm an accurate asset count. Our automated tools will comprehensively identify the deployed assets in real time. If it turns out we identify 500 deployed databases, we have an issue—one that we can now manage within the active M&A process.”

Gathering accurate information about the IT infrastructure during the due diligence phase can be an arduous process. Rarely will a completely accurate representation of information systems, security mechanisms and information asset inventory result. Therefore, the M&A agreement should include the appropriate warranties with respect to the accuracy and completeness of these representations. Further, it should include some warranties covering compliance with required regulations, as well as representations that industry standards or best practices are used to protect the systems and data within the acquired business' operations. This includes assurances that the environment is reasonably free of pre-existing intrusions, viruses and other security breaches that would impact operations or add additional cost to the business to manage. Ultimately, the companies need to comprehend the level of risk of the networks involved in the transaction.

The security assessment of the networks, information systems and databases will flesh out the overall cybersecurity risk. Attackers that compromise networks may not be easily identified and organizations may be unaware they have been compromised. A trusted third party can assist to determine whether a compromise has happened, is ongoing or if the threat of a compromise is real.

Normally a portion of the proceeds from the acquisition will be set aside in an escrow account to cover unanticipated costs of the transaction. Unexpected cybersecurity expenses and undisclosed license fees need to be included as items that can draw from the escrow account. The intent is not to address trivial issues such as installing anti virus on desktops that was missed, but to address the costs of a significant incident response required to contain a breach, payouts associated with substantial data loss, costs associated with license true-ups and costs to bring the security posture to an industry acceptable level—or at least the level it was represented. Ensuring these costs are covered in the agreement provides a means of completing the merger within the cost targets established for the agreement—even if there are significant post merger revelations.

Considering the complexity of modern IT systems, the limited time to complete due diligence and the limited access an acquirer has prior to the completion of the merger, there are likely going to be a number of issues that will need to be addressed and the costs involved can be substantial.


Given the substantial increases in cybersecurity risks over the past several years, this is an area worthy of careful consideration. However, with the proper tools, careful planning and trusted third party validation, cybersecurity risks can be significantly reduced.

M&A agreements create only the framework for risk/cost avoidance—to fully realize that benefit requires a comprehensive assessment of the acquired entity's operations to identify actual risks and the actions required to address them.

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.