Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Business > Why Cyber Security Due Diligence is Essential to M&A Success

Why Cyber Security Due Diligence is Essential to M&A Success

Published by linker 5

Posted on July 3, 2020

4 min read

Last updated: January 21, 2026

Man researching cybersecurity measures on laptop, emphasizing M&A due diligence - Global Banking & Finance Review — A man is focused on his laptop, analyzing cybersecurity strategies crucial for mergers and acquisitions. This image highlights the importance of cybersecurity due diligence in M&A processes, a key topic in the article.

By Anurag Kahol, CTO, Bitglass

Mergers and acquisitions (M&As) are a significant driver of business activity, with over $4 trillion of deals taking place in 2019, according to data from Dealogic. They can offer firms a range of significant opportunities, ranging from accelerating growth, competitive advantage – or increasingly – to acquire technology.

Despite the impact of current pandemic, M&A momentum appears relatively undiminished, with a recent survey suggesting that 86% of senior M&A decision-makers across a variety of sectors expect M&A activity to increase in their region in 2020 – with 50% expecting to do more deals if a downturn arrives.

Central to the process is due diligence, where the primary focus is on finance, legal, business operations, and human resources functions and data. However, as pointed out by Deloitte in its ‘2020 M&A Trends Report’, “. . . some regulatory issues are growing more prominent in M&A, such as data privacy. The bar continues to rise for the level of care that companies must take to protect personal and financial information.”

As Deloitte also points out, the risks presented by cybersecurity weaknesses are relevant to the M&A due diligence and process: “A target company may bring a cybersecurity weakness into the organisation, or a transaction that involves layoffs or other workforce changes may create data security risks.”

The 2016 acquisition of Starwood Hotels & Resorts by Marriott illustrates the potential impact of a cybersecurity due diligence failure. The deal, which created one of the world’s largest hotel groups went through with Marriott unaware that Starwood’s systems had been compromised back in 2014. When Marriott finally uncovered the undetected breach of Starwood’s guest reservations database in November 2018, it discovered that personal data of 500 million customers worldwide had been stolen.

The fallout was significant, with the UK Information Commissioner’s Office (ICO) handed Marriott International a GDPR penalty of £99 million, noting in its report that Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems”.

Conducting cyber diligence

Today, organisations of every size and scale are increasingly reliant on technology, with cloud-based tools, IoT, and digital connectivity services to conduct business, take payments, and enable their operations all playing a daily role.

Undertaking a detailed cybersecurity audit and evaluation, therefore, is critical for revealing any critical weaknesses that could derail a deal or cause significant issues later on. This is a key first step for understanding what data has been collected, how and where it is stored, and how long it is kept before being disposed of. It should also provide insights into any potential regulations, laws and obligations that will apply.

Conducting a review of all internal and external cybersecurity assessments and audits will also help to uncover potential weaknesses in an acquisition target’s cybersecurity systems and evidence of undisclosed data breaches.

Having established what data needs protecting and where it is stored, it’s important to understand who has access to the data, how it’s used, and what devices are being used for access.

Without this information, it will be difficult to maintain an appropriate security posture post-acquisition.

Moreover, a detailed evaluation of all IT systems and network endpoints in the target enterprise will enable the M&A team to more effectively operationalise the environment, post-M&A. In particular, it enables both entities to combine and integrate their IT systems and processes, including both IT organisations. In doing so, both parties can address risks such as insider threats, compliance, and any potential external infiltration risk points that could impact ongoing data management and protection strategies.

For example, if a user with administrative access makes requests for data on a database containing customer information, the acquiring firm must address that concern, including a review of all security-related policies within both organisations.

This helps inform the subsequent integration strategy and minimise the risk of introducing new vulnerabilities as platforms, solutions, and services are brought together. Effective cybersecurity integration should also be looking at security policies such as data encryption – across all applications, data lakes and beyond – real-time data loss prevention, user access controls and continuous monitoring to gain full visibility into both user activity and applications.

Holistic protection

Conducting detailed cybersecurity due diligence reviews during the M&A process will not only enable an organisation to fully understand the cyber risk potential of a target entity, it will also provide critical information about how the security strategies of the two organisations differ.

It’s inevitable that combining people, systems, and processes will open up new security risks and vulnerabilities. But if organisations can successfully manage information security in the extended environment, they can not only meet their due diligence obligations, but also ensure that organisational integration is on a firmer footing from day one.