The due diligence process in a M&A transaction appropriately consists of an exhaustive examination of a company’s financial records and the markets it serves. However, equally important in the evaluation is the target’s information technology environment, specifically its cyber security posture. Unfortunately, this is often a cursory, last-second exercise – if it is reviewed at all!

So, how can you improve your cybersecurity when looking to buy, sell, or merge a business? We explore here.

First Step: What are you acquiring?

Simple question, right? Obviously, there is a strategy for the target acquisition. But you can expand the due diligence process from a cyber perspective and ask the following questions:

• What are the key assets being bought – Intellectual Property, Customer Lists, Customer Data?
• For each of the above, what is the target’s cyber security protection over these assets?

When an organization develops a cyber security plan, it starts with understanding the key assets it maintains since you can’t protect what you don’t know you have. Think like a hacker – “if I wanted to breach Company X, what do I want and where is it kept?”

Second Step: What does the target have for documentation of its environment?

Obtaining and reviewing relevant documentation associated with the information technology environment will provide an acquirer with a good sense of the target’s approach to information security and cyber security by extension. Is there a:

• Network diagram including data flows (the Key Assets in the First Step)
• Information Security Plan
• Incident Response Plan
• Business Continuity Plan

For this step, it may be helpful for the acquirer to secure the services of an information technology security advisor to provide guidance in potential gaps.

Third Step: Protection in the Contract

It’s common knowledge that a cyber security event often occurs 6 to 9 months before being uncovered. Therefore, it makes sense that the acquiring company take measures to protect itself since a virus or ransomware may be lurking in the target’s system ready to pounce. Consider obtaining the following representations and warranties from the target company in the purchase agreement:

• No data breaches have occurred within the last 2 to 3 years
• The target has established and implemented reasonable security policies that comply with industry best practices
• The target maintains a privacy policy that it is following
• The target is in compliance with all applicable federal and state laws relative to the collection, use, disposal and transmission of data
• There is no litigation related to privacy or data security practices.

Purchase and sale agreements are extensive to begin with. However, representations similar to the above in the area of protection from a potential cyber security event – THAT MAY HAVE ALREADY HAPPENED – could prove valuable.

Final Step: Post Deal Considerations

Once the deal is closed, it is critical to monitor the infrastructure and activities of the target company during the initial period of operations. Some recommended procedures include:

• Isolating the newly acquired entity from the existing company network until steps have been taken to ensure it is safe for integration
• Monitoring the performance of basic cyber hygiene procedures such as regular patching, anti-virus deployment, vulnerability scanning, etc.
• Reviewing access rights of those employees acquired to ensure that access levels are appropriate given the new operating environment.

Ensuring that you have a sense of potential cyber exposure of a target company early during acquisition discussions is critical. Need help assessing the safety of your business? Reach out to a member of our Information Security Services Team.