Acquirers should first take a risk-based approach to cyber due diligence in deals. As noted earlier, cyber due diligence isn’t as established nor does it analyze standardized data as other types of due diligence. Since all deals aren’t the same, they don’t require the same level of diligence.
An acquirer should have a process to evaluate the current threat landscape and identify the bad actors – external and internal – that might target the parties in the transaction. This landscape can vary by industry or region, and higher risk transactions – such as acquisitions in certain countries or in sectors that have suffered recent attacks – require greater diligence.
The more active a business is in deals – such as serial corporate acquirers or private equity firms – the more cyber should be woven into the typical deal life cycle. Frequent acquirers should have established relationships with cybersecurity stakeholders within their firm and have a flexible cyber deals playbook to assist with cyber at each deal stage, cyber risk level and deal type. This allows those acquirers to engage cybersecurity at key points in a deal life cycle and to more effectively manage cyber risk to targets and their existing portfolio.
Another outcome of managing cyber risk in deals is establishing a benchmark of cyber readiness, which can be applied to other businesses in their portfolio
and used when assessing new investments. Some will conduct an annual security assessment of their portfolio companies, further preparing them for
Cyber due diligence also should reveal deal-breakers – or more likely, deal-changers – for the acquirer. Walking away altogether may be unlikely, but there may be issues that lead a buyer to reconsider the target’s value – and therefore price. An acquirer needs to be able to identify and quantify those issues and either push the target to address them before closing or renegotiate the price and possibly other terms.
The latter could be an opportunity to shift seller proceeds to remediation investment, but the acquirer needs to plan for how the issue will be addressed – and paid for – after closing and during integration. Still, the potential to shift burden to sellers may appeal to serial acquirers who are making smaller deals and are confident they can manage the risks.
Ultimately, successful cyber due diligence should yield not only a road map of critical remediation items but also the responsibility for, cost of and timeline for resolving each item.