How To Handle Security Due Diligence During The M&A Process
Updated: Jan 14
More often than not, we see our clients show interest in other companies. This pull can come in many different forms, but it's usually through an exciting M&A process.
This moment is stressful for the leadership of the buying and selling companies. Both have been through a long process with the business, technical, marketing, and legal teams, and all are very interested in making it happen.
The seller and buyer are highly engaged, and timing is crucial. Then, members of the legal department begin asking some questions. Eventually, the department realizes they need to learn more about the supplier and perform due diligence on the cybersecurity of the platform, systems, and company.
They have concerns, as they would like to preserve their good impression on the buyer. However, on the other hand, they must comply with the buyer's requests and, in turn, with the due diligence requirements.
Signing an NDA on these events is standard, as the very nature of the assessment and process is extremely sensitive.
They have many concerns, some regarding the maturity of the product and system and others regarding compliance and possible violations and leaks.
A cybersecurity due diligence review should include an evaluation of all the different security aspects of an organization — from policies, procedures, account management, general IT security, and regulations all the way through to applications, API and development security, and cloud and infrastructure security.
The evaluating party should perform an in-depth technical security evaluation that includes penetration testing and a complete cloud security review when evaluating the system, product, and applications.
There is a chance that after the M&A, the company can identify significant security holes, which may cost a lot to fix and harm the buyer's reputation.
Besides an evaluation, the final product to be expected should be a prioritized work plan for the companies to mitigate the risks identified and live happily ever after.
The party that performs due diligence should facilitate the deal between the buyer and the seller. While it is a very stressful process, their job is to mediate between parties on the cybersecurity side.
That said, there is an expectation for the full cooperation of the seller. From our experience, buyers will rarely back out from a deal. More often, they would like to understand the security gaps between what the company currently has and the best practices and industry standards to which it should adhere.
There are some points where things can go wrong for either party. For example, the seller's team might not cooperate or be unable to comply with basic requirements. In addition, there might be information that was not disclosed and pops up in intelligence and/or security research. From our experience, however, these were never deal-breakers.
From our knowledge, performing these assessments can increase the confidence of the buyer in the deal to buy from the seller and allows them to see a different perspective of the seller's team in action.
The deal's valuation may change following these due diligence processes, but this process allows the buyer to know what they are buying and not buy a cat in a bag. Again, the important thing for the process, it is essential to be prepared.