It’s hard to read the news these days without seeing another headline about a data breach. As companies rely increasingly on technology, the importance of securing customer information and intellectual property has increased exponentially—as has the cost of failing to keep data secure. Concerns about cybersecurity have become especially acute when it comes to M&A transactions. A company’s cybersecurity infrastructure – or lack of one – can affect the deal price, and even determine whether the potential acquirer decides to go through with a deal at all.
In order to protect themselves, acquirers are broadening their due diligence process to include a rigorous examination of the IT infrastructure of deal targets. To gain a better understanding of how companies are conducting cybersecurity diligence for M&A, West Monroe Partners surveyed top-level corporate executives and private equity partners, delving into their top concerns, the most common types of problems they uncover and their ideas about how the process can be improved.
The survey results are clear: dealmakers are getting the message. Eighty percent said cybersecurity issues at target companies were a highly important component of due diligence, while a similar percentage (77%) said the importance of data security issues at targets had increased significantly over the last two years. This growing focus on cybersecurity is hardly surprising. With the average cost of a data breach in 2015 estimated at US$3.79m according to a study by IBM, buyers can't afford to take on that level of financial risk.
Nevertheless conducting cybersecurity due diligence is about more than simply determining whether to close a deal. While this was the primary reason for a third (33%) of respondents, nearly half (47%) said their main reason was to plan fixes for the problems they uncovered. An additional 20% said they used the process to negotiate down the purchase price.
Proper cybersecurity due diligence needs to examine the full range of risks, including breach history, specific data threats, problems for integration and the cost of potential fixes. We asked respondents to identify the top three most common types of cybersecurity issues they uncovered at a deal targets in the course of their due diligence. Most responses fell into these three categories:
Compliance: More than two-thirds (70%) of respondents pointed to compliance as one of the most common problems they ran into during diligence. The problem seems to be growing as privacy laws evolve around the world. In the United States alone, three federal agencies are responsible for policing data privacy: the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and the Consumer Financial Protection Bureau (CFPB). This, combined with the vast amounts of data within enterprise systems and the complexities of newer technologies, has made managing compliance a top concern.
Infrastructure: Respondents pointed to weaknesses in security infrastructure as another frequent problem uncovered at targets, including lack of a comprehensive data security architecture (40%), inadequate security on mobile devices (33%) and vulnerable local server storage (30%). A comprehensive analysis of a company's security architecture can provide a window into the robustness of its overall network security processes and procedures. The analysis needs to look beyond infrastructure, however. Application security, including internal access control, is also critical. Mobile security practices, such as the ability to remotely wipe phones or laptops, are becoming increasingly important as well.
Insider threats: Vulnerability to insider threats was cited by 37% of respondents as a common problem found at targets. Insider threats appear to be a mounting concern for businesses, and for good reason: A recent study by IT industry association CompTIA found that slightly more than half (52%) of breaches originate from employees—due to either malicious intent or carelessness.
According to the Identity Theft Resource Center, there were 781 US data breaches in 2015, a near record high. The growing prevalence of these breaches should serve as a warning to dealmakers everywhere that cybersecurity diligence is a must. Without a rigorous process to identify past breaches and potential vulnerabilities at target companies, their acquisition could end up costing them far more than the purchase price.
Read a full copy of our report Testing the Defenses: Cybersecurity Due Diligence in M&A.