M&A Security: Evaluating Risks before the Deal | GBAF

M&A Security: Evaluating Risks before the Deal | GBAF

Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Top Stories > THE ROLE OF CYBERSECURITY DUE DILIGENCE AS AN M&A PRIORITY

THE ROLE OF CYBERSECURITY DUE DILIGENCE AS AN M&A PRIORITY

Published by Gbaf News

Posted on August 30, 2016

Last updated: January 13, 2026

THE ROLE OF CYBERSECURITY DUE DILIGENCE AS AN M&A PRIORITY - Top Stories news and analysis from Global Banking & Finance Review

By Shawn Henry, CSO CrowdStrike

Last year alone, M&A activity reached fever pitch, with the global market valued at over $4 trillion – its highest since 2007. If 2016 follows suit, we’re looking at over 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding $50B. Furthermore, it’s not just the global market that is booming, with the UK tipped as the top European target for inbound deals from emerging markets.

With this market opportunity reaching staggering heights, no company can afford to take on a partner organisation without exploring all the areas of risk involved. This involves much more than just the traditional financial calculations. Whether it’s a large company acquiring a niche business that sits outside of current client offerings, or a smaller company partnering with another organisation to expand its footprint, businesses must prioritise security.

When organisations make an acquisition, they are essentially investing in the intellectual property and R&D of the proposed partner organisation. Typically, there are few individuals on the buyer side who truly understand the network systems they’re about to purchase, which contain valuable IP. The integrity of this data must be assessed prior to an acquisition – and the team assessing it must be able to provide a level of scrutiny that ensures all areas are fully evaluated, diagnosed and proven secure. Currently this isn’t a process that is routinely adhered to because companies lack clarity on what exactly they should be looking for, prior to a deal being finalised.

It’s like buying a first home – typically the biggest personal investment an individual ever makes. When you are house hunting, you don’t do it without some kind of guidance from an estate agent or a property manager who asks the important questions. M&A activity is no different, as it involves a significant business investment. You wouldn’t make a home purchase without an inspection or without the guidance of a reputable source, so why would you accept less vigilance when it comes to your business? Being able to fully vet a target company’s systems, data, and environment in order to assess and protect the valuable assets being acquired is essential.

Determining a partner’s security profile begins with knowing what questions to ask. For starters, are there any vulnerabilities in the partner organisation that could be exploited to access your systems? And, how secure will the data be during the integration process? Has their network been compromised before and what are the security risks posed by merging both environments? Ultimately the assessment a business undertakes prior to any activity should aim to determine whether an organisation has the same level of security controls in place and meets their existing standards, even without absorbing their technological resources.

Working with a third party throughout this process can help businesses to explore these critical security questions and prevent the introduction of any unnecessary risk. This involves undertaking a comprehensive assessment to identify the gaps in security posture, examine security documentation, review IT processes, and conduct interviews with key staff to understand where cyber security falls on their list of priorities. By doing so, the business can paint a full picture of what’s being acquired, the intrusion detection controls in place and the current employee mindset on security. It also helps to determine what precautionary technical measures the business should take in terms of network-based monitoring for example, which helps provide visibility into potentially malicious traffic entering and exiting the networks.

Ultimately, the nominal cost of being proactive and predictive about security saves significant time and money in the long run. It’s always harder and more expensive to react to something than preventing it from happening in the first place. The best protection method is having a team on hand to provide recommendations on how to prioritise resources based on the actual risk, create an implementation plan of effective detection measures, and have a comprehensive security strategy to actually prevent damage.

By Shawn Henry, CSO CrowdStrike

Last year alone, M&A activity reached fever pitch, with the global market valued at over $4 trillion – its highest since 2007. If 2016 follows suit, we’re looking at over 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding $50B. Furthermore, it’s not just the global market that is booming, with the UK tipped as the top European target for inbound deals from emerging markets.

With this market opportunity reaching staggering heights, no company can afford to take on a partner organisation without exploring all the areas of risk involved. This involves much more than just the traditional financial calculations. Whether it’s a large company acquiring a niche business that sits outside of current client offerings, or a smaller company partnering with another organisation to expand its footprint, businesses must prioritise security.

When organisations make an acquisition, they are essentially investing in the intellectual property and R&D of the proposed partner organisation. Typically, there are few individuals on the buyer side who truly understand the network systems they’re about to purchase, which contain valuable IP. The integrity of this data must be assessed prior to an acquisition – and the team assessing it must be able to provide a level of scrutiny that ensures all areas are fully evaluated, diagnosed and proven secure. Currently this isn’t a process that is routinely adhered to because companies lack clarity on what exactly they should be looking for, prior to a deal being finalised.

It’s like buying a first home – typically the biggest personal investment an individual ever makes. When you are house hunting, you don’t do it without some kind of guidance from an estate agent or a property manager who asks the important questions. M&A activity is no different, as it involves a significant business investment. You wouldn’t make a home purchase without an inspection or without the guidance of a reputable source, so why would you accept less vigilance when it comes to your business? Being able to fully vet a target company’s systems, data, and environment in order to assess and protect the valuable assets being acquired is essential.

Determining a partner’s security profile begins with knowing what questions to ask. For starters, are there any vulnerabilities in the partner organisation that could be exploited to access your systems? And, how secure will the data be during the integration process? Has their network been compromised before and what are the security risks posed by merging both environments? Ultimately the assessment a business undertakes prior to any activity should aim to determine whether an organisation has the same level of security controls in place and meets their existing standards, even without absorbing their technological resources.

Working with a third party throughout this process can help businesses to explore these critical security questions and prevent the introduction of any unnecessary risk. This involves undertaking a comprehensive assessment to identify the gaps in security posture, examine security documentation, review IT processes, and conduct interviews with key staff to understand where cyber security falls on their list of priorities. By doing so, the business can paint a full picture of what’s being acquired, the intrusion detection controls in place and the current employee mindset on security. It also helps to determine what precautionary technical measures the business should take in terms of network-based monitoring for example, which helps provide visibility into potentially malicious traffic entering and exiting the networks.

Ultimately, the nominal cost of being proactive and predictive about security saves significant time and money in the long run. It’s always harder and more expensive to react to something than preventing it from happening in the first place. The best protection method is having a team on hand to provide recommendations on how to prioritise resources based on the actual risk, create an implementation plan of effective detection measures, and have a comprehensive security strategy to actually prevent damage.