In-depth assessments of organizational health are a common part of merger and acquisition (M&A) transactions, but despite its critical nature, IT due diligence is all too often overlooked. During the due-diligence process, it’s critical to take a 360-degree approach, including a thorough assessment of information technology and cybersecurity, to avoid the consequences of a data […]
Already an Subcriber? Log in
Get Instant Access to This Article
Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.
- Critical Central New York business news and analysis updated daily.
- Immediate access to all subscriber-only content on our website.
- Get a year's worth of the Print Edition of The Central New York Business Journal.
- Special Feature Publications such as the Book of Lists and Revitalize Greater Binghamton, Mohawk Valley, and Syracuse Magazines
Click here to purchase a paywall bypass link for this article.
In-depth assessments of organizational health are a common part of merger and acquisition (M&A) transactions, but despite its critical nature, IT due diligence is all too often overlooked. During the due-diligence process, it’s critical to take a 360-degree approach, including a thorough assessment of information technology and cybersecurity, to avoid the consequences of a data breach down the road. Below, I outline the IT functions that should be thoroughly reviewed prior to completing an M&A transaction, as well as some of the consequences of not performing proper due diligence of a company’s information-security systems prior to an acquisition.
Charlie Wood is the co-founder and practice leader of FoxPointe Solutions, the Information Risk Management Division of The Bonadio Group. He has more than 27 years of experience in the information technology industry, with a focus on security hardening, data privacy, vulnerability identification and remediation, internal and external auditing, controls optimization and compliance, system administration, disaster recovery, and business continuity and impact analysis, as well as general project management.
What IT functions require review
During most M&A transactions, a company is looking to purchase intellectual property as well as data, so understanding how those assets are currently protected is paramount to keeping cybercriminals at bay. To achieve this, a full review of the company’s cybersecurity policies and procedures is recommended. To start, companies should conduct a complete review of physical and logical security-access controls, as well as compliance requirements. From there, it’s important to understand how the organization is holding its people regularly accountable. This can include reviewing their penetration-testing procedures, security-awareness programs, and incident-response training to get a sense of the integrity of their program. As cybercriminals become increasingly more sophisticated as time goes on, it’s impossible to be 100-percent immune to a breach. Therefore, it’s equally important to plan for failure as it is to focus on prevention. Making sure that the organization has a strong disaster-recovery plan is important. Lastly, does the business you’re acquiring work with third-party vendors? If the answer is yes, the cybersecurity procedures of those partners should be reviewed as well to ensure that they don’t have any vulnerabilities that would put sensitive data at risk.Risks of not performing proper due diligence
Failure to conduct proper IT due diligence during the M&A transaction process can lead to an eventual cyber breach, which comes with a number of potential consequences for an organization. Companies that experience a breach can face significant financial consequences in the form of fines by the Federal Trade Commission. Additionally, there is a risk of a loss of trust by consumers, and even future liabilities and lawsuits depending on the scale of the attack and its impact on customers. For businesses seeking a buyer in an M&A transaction, experiencing a breach can be detrimental to the overall success of the sale. It may lead to delays in the completion of the transaction, or the withdrawal of the buyer. It also could lead to significant reductions in the price. Seeking companies that have a dedicated leader to oversee the security function of the organization is a good way to avoid the risk of acquiring a company with a weak cybersecurity program. For example, organizations that have a chief information security officer (CISO) are more likely to have controls that operate soundly and a stronger overall cybersecurity approach.Other assessments to consider
While IT should be a critical aspect of the M&A due diligence process, there are a number of other organizational facets that should not be overlooked throughout the transaction. Companies must ensure they have a clear picture of an organization’s structure, financial function, tax liabilities, and market and sales to properly gauge its value. Culture should not be overlooked as well. Looking into the organization’s operations, human resources, benefits, employee sentiments, and more are a great way to understand whether a business will integrate well into your own. As cybercriminals continue to find new ways to breach networks and exfiltrate or encrypt sensitive data from anywhere in the world, it’s more critical than ever for there to be a strong IT due diligence process in place for any M&A transaction. Finding a reputable cybersecurity consulting firm to partner with throughout the process can ensure that you are conducting effective assessments to protect yourself from future, costly consequences.Charlie Wood is the co-founder and practice leader of FoxPointe Solutions, the Information Risk Management Division of The Bonadio Group. He has more than 27 years of experience in the information technology industry, with a focus on security hardening, data privacy, vulnerability identification and remediation, internal and external auditing, controls optimization and compliance, system administration, disaster recovery, and business continuity and impact analysis, as well as general project management.