Since significant M&A due diligence activity centers on on valuation both of the asset today (point in time) and as an ongoing source of positive economic activity, risk assessment has long been a foundation of transactions.
The dawning realization among [some] M&A due diligence teams is that risks associated with information security, including but not limited to current valuation (intellectual property, trade secrets, competitive advantage) and future value (resilience), are real and can be used both in price/terms negotiation and in the ultimate acquisition decision. This applies to large targets down through small partnerships.
The fundamental questions asked with a cyber flavor continue to be:
  1. Does what I’m acquiring have the value I think it has? Can I negotiate more favorable terms by identifying cyber-risk in the target? Are the risks enough to walk away from the deal?
  2. How likely is the asset I’m acquiring to generate the returns I expect? Have the foundations of its value been compromised, stolen by competitors or nation states? Are the systems capable of operating if attacked? What percentage of the business has a cyber exposure?
There are still blind spots within acquisition teams, but they are clearing as cyber risk becomes easier to understand and more examples can be leveraged (like Yahoo).
In any M&A engagement, buyers should include third party assessment of a targets cyber security exposure and maturity. Short of full penetration testing, all the cyber reconnaissance and vulnerability identification work should be done in advance. That pass alone provides significant insight into the overall security of the asset. In the absence of verifiable, recent, and comprehensive information security audits, buyers should be including the same within due diligence.
We wouldn’t merely take a sellers word on physical or financial assets unless backed by legal ownership, documentation and third party audits. Why would we take someone’s word they manage security well, have no hidden security breaches, or even employ mature security practices?
These risks fit within the overall risk portfolio for an acquisition target and should be considered in context. While they may rarely identify reason enough to walk away from a prospective deal, the cost to identify them is dwarfed by the cost of dealing with post acquisition data breaches resulting from poor cyber security management.
In the age of cyber, “Caveat emptor” still applies.