Cybersecurity is one of the top five business risks identified by major corporates. A recent survey on cybersecurity indicated that 78 percent of respondents thought that cybersecurity was not analyzed in any detail in their deals.


As corporate boards and executive management get more involved in understanding their own company’s cybersecurity posture, it only makes good sense that they would want to know similar information about an acquisition target. Most companies depend on digital assets, whether in the form of customer data, trade secrets or business plans. Those assets are not only vulnerable to theft or destruction, they also may trigger complicated and evolving cybersecurity and privacy mandates from a variety of regulators in the United States and abroad.

Cybercrime has emerged as one of the foremost threats a company faces. As a result of a few keystrokes, a company may find its customers’ data sold on the dark web, its intellectual property in the hands of a competitor, or its operations paralyzed by ransomware.

Thus, cybersecurity due diligence is quickly becoming – and should be – an important aspect of any M&A transaction. 


Cyber ONLY SMALL.png

Cybersecurity due diligence can vary based on the target acquisition. Type and breadth of checks will depend on the transaction timing as well as the target company’s industry, the value of its digital assets, its regulatory environment and its cyber risk profile.

We assist firms with quickly and efficiently assessing the following key areas of any target acquisition:

Prior breaches – identify information on any known breaches, whether public or not

Audit and Compliance Records – review all that apply for industry and government regulations

Privacy and Data Policies – assess programs and procedures in place for all means of processing data and communication used by the company

Third Party Relationships – does company review compliance of its outside vendors/relationships?

Physical IT - review physical security of the computing infrastructure

Sensitive Data - identification of all critical or sensitive data, including protected classes of data, where it is located and how it is protected

Social Media – review of company use, presence and policies

Benchmarking – within same industry and those with proven cyber security posture