Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


Ben Harknett, VP EMEA, RiskIQ

Ben Harknett
Ben Harknett

Over $4 trillion worth of M&A deals were made worldwide in 2015 according to Dealogic, making it the highest year for deal values since 2007. Due diligence plays a huge part in making these deals happen, but with digital channels (web, mobile and social) experiencing a boom in business use, the current due diligence process needs to expand in scope to adequately factor in cybersecurity risk. Failure to do so could lead to unforeseen consequences in both the M&A process and the integration that follows.

All down to digital?

A secure and resilient digital presence is a key requirement for high performing organisations across a range of industries. Digital channels have overtaken the traditional “human interaction” channels in many organisations to become a critical dependency. When evaluating a target company from an M&A standpoint, the failure to adequately evaluate the cyber security risks inherent in the digital channels of both parties can present a potential threat to both operations and brand reputation.

However, all too often digital channels have not been factored in to the due diligence process as these IT engagements have instead focused only on identifying material assets in the valuation process, such as business processing and reporting systems and the hardware and networks that supported them.

As business and consumers have both moved outside the perimeter and onto the open internet, it’s now vital that assets residing outside the firewall are accounted for and reviewed in order to get a full understanding of a company’s digital attack surface.

Going beyond standard due diligence

There are a number of common reasons why organisations are not getting the full picture of cyber risks as part of due diligence:

  • The first is sheer scale of the digital presence of the company being acquired. It is not uncommon for a large organisation to have thousands or tens of thousands of active websites and other publically exposed assets. While IT and Security teams in the “to-be-acquired” company will have an asset register of websites, it’s almost always a partial view of what really exists. The more decentralised an organisation’s IT activities are the bigger the delta which can exist.
  • Time is another contributing factor. In most cases there is an urgency to complete the acquisition before the value materially changes. Cyber security audits can take a long time as auditors try to build up an accurate picture based on incomplete and out of data information.
  • Acquiring organisations have been slow to move their own security programs “outside the firewall”, instead focusing on the more traditional security disciplines. In this case the cyber security posture of their own organisation is not accurately known, let alone the cyber security posture of the target company.

While these can be valid reasons they must be weighed up against possible consequences. A successful cyber attack could have a material impact on the value of a company in the short to mid-term. In addition to reputational damage, new EU data protection laws have introduced the provision for fines or 2-5% of global revenues for loss of customer data, which again can materially impact the value of an organisation with less than adequate security defences. From a nation state perspective an undetected “back door” planted in the target company’s network could result in intellectual property theft once the two networks are connected.

In the case of acquisitions involving part of an organisation, for instance a line of business, it is essential to identify and document the assets being transferred, which also include digital properties such as brand assets, domains and social accounts. Without a thorough understanding of what currently exists, critical digital assets may be missed resulting in ownership and security issues later on.

The M&A aftermath

With no signs of the headline hitting data breaches stopping anytime soon, organisations in M&A deals need to make sure they are more cyber savvy about evaluating all of the potential cyber risks if they want to get the best deal possible. However, a good understanding of cyber risks is not only needed for the due diligence process, it should also be a key requirement in successfully managing the risks once the transaction is complete. As responsibility for the security of acquired digital assets transfers to the acquiring company, then work begins to bring those assets under management as part of the corporate security programme without risking a costly compromise.