Cybersecurity Risks in M&A Due Diligence | GBAF | GBAF

Cybersecurity Risks in M&A Due Diligence | GBAF | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > IS YOUR M&A DEAL GIVING MORE THAN YOU BARGAINED FOR?

IS YOUR M&A DEAL GIVING MORE THAN YOU BARGAINED FOR?

Published by Gbaf News

Posted on January 30, 2016

4 min read

Last updated: January 22, 2026

CFO analyzing financial data for a quicker month-end close - Global Banking & Finance Review — An insightful image of a CFO reviewing financial reports, highlighting the importance of efficiency in the financial close process. This ties directly to the article's focus on steps to improve financial reporting timelines.

Ben Harknett, VP EMEA, RiskIQ

Ben Harknett

Ben Harknett

Over $4 trillion worth of M&A deals were made worldwide in 2015 according to Dealogic, making it the highest year for deal values since 2007. Due diligence plays a huge part in making these deals happen, but with digital channels (web, mobile and social) experiencing a boom in business use, the current due diligence process needs to expand in scope to adequately factor in cybersecurity risk. Failure to do so could lead to unforeseen consequences in both the M&A process and the integration that follows.

All down to digital?

A secure and resilient digital presence is a key requirement for high performing organisations across a range of industries. Digital channels have overtaken the traditional “human interaction” channels in many organisations to become a critical dependency. When evaluating a target company from an M&A standpoint, the failure to adequately evaluate the cyber security risks inherent in the digital channels of both parties can present a potential threat to both operations and brand reputation.

However, all too often digital channels have not been factored in to the due diligence process as these IT engagements have instead focused only on identifying material assets in the valuation process, such as business processing and reporting systems and the hardware and networks that supported them.

As business and consumers have both moved outside the perimeter and onto the open internet, it’s now vital that assets residing outside the firewall are accounted for and reviewed in order to get a full understanding of a company’s digital attack surface.

Going beyond standard due diligence

There are a number of common reasons why organisations are not getting the full picture of cyber risks as part of due diligence:

The first is sheer scale of the digital presence of the company being acquired. It is not uncommon for a large organisation to have thousands or tens of thousands of active websites and other publically exposed assets. While IT and Security teams in the “to-be-acquired” company will have an asset register of websites, it’s almost always a partial view of what really exists. The more decentralised an organisation’s IT activities are the bigger the delta which can exist.
Time is another contributing factor. In most cases there is an urgency to complete the acquisition before the value materially changes. Cyber security audits can take a long time as auditors try to build up an accurate picture based on incomplete and out of data information.
Acquiring organisations have been slow to move their own security programs “outside the firewall”, instead focusing on the more traditional security disciplines. In this case the cyber security posture of their own organisation is not accurately known, let alone the cyber security posture of the target company.

While these can be valid reasons they must be weighed up against possible consequences. A successful cyber attack could have a material impact on the value of a company in the short to mid-term. In addition to reputational damage, new EU data protection laws have introduced the provision for fines or 2-5% of global revenues for loss of customer data, which again can materially impact the value of an organisation with less than adequate security defences. From a nation state perspective an undetected “back door” planted in the target company’s network could result in intellectual property theft once the two networks are connected.

In the case of acquisitions involving part of an organisation, for instance a line of business, it is essential to identify and document the assets being transferred, which also include digital properties such as brand assets, domains and social accounts. Without a thorough understanding of what currently exists, critical digital assets may be missed resulting in ownership and security issues later on.

The M&A aftermath

With no signs of the headline hitting data breaches stopping anytime soon, organisations in M&A deals need to make sure they are more cyber savvy about evaluating all of the potential cyber risks if they want to get the best deal possible. However, a good understanding of cyber risks is not only needed for the due diligence process, it should also be a key requirement in successfully managing the risks once the transaction is complete. As responsibility for the security of acquired digital assets transfers to the acquiring company, then work begins to bring those assets under management as part of the corporate security programme without risking a costly compromise.