Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Security Leadership and ManagementCybersecurity News

Q&A: How Are Cyber Risks Changing Mergers & Acquisitions?

merger-enews
January 31, 2018

Following the discovery of two data breaches affecting more than 1 billion Yahoo Inc. users, Verizon Communications Inc. shaved $350 million off its original offer to acquire the company in 2017. The deal also included a liability sharing agreement, according to Reuters.

With companies’ reputations and futures becoming more inherently tied to their cybersecurity efforts, Security magazine connected with Kevin Richards, managing director of North American Security and global lead for Security Strategy and Risk at Accenture, to discuss the outcomes of negligent cybersecurity oversight during mergers and acquisitions, including unforeseen and costly integrations, unexpected liability and higher overall enterprise risks.

 

SECURITY: What are some of the potential risks an enterprise takes on if it neglects to include cybersecurity in its M&A vetting period?

Richards: If we consider the impact of recent, high-profile security breaches, companies have faced hundreds of millions of dollars in direct losses, material negative impact to their brand reputation and corresponding erosion to customer loyalty and trust.  A rushed or limited cybersecurity vetting process may miss exposures or key indicators of existing or prior breach. 

That is why it is critical to understand cybersecurity vulnerabilities, the damage that may occur in the event of a breach, and the effectiveness of the infrastructure that the target business has in place. An appropriate evaluation of these areas could significantly impact the value that the acquirer places on the target company and how the deal is structured. It is therefore imperative to perform a variety of risks and security assessments on the to-be-acquired entity.

 

SECURITY: What sort of vulnerabilities or challenges should enterprises specifically look for when reviewing cybersecurity in a potential acquisition?

Richards: No organization is immune from cyberattacks, and virtually all have been breached at some point. In this cyber threat landscape, the focus on cybersecurity will continue to intensify in the negotiation phase of M&A transactions for companies of all sizes. Myriad exposures can be often overlooked in a common due diligence exercise.  These can include the following:

  • Undisclosed or under-reported prior data breaches
  • Unknown, unassessed or under-assessed third-party relationships
  • Active, yet unidentified malware infiltration of the current enterprise
  • Unknown disclosure of intellectual property or trade secrets
  • Differing technical capabilities between the organizations which could lead to unexpected integration costs, increased technology training and support costs, and/or technologically “weak” spots in the cybersecurity protection capabilities

 

SECURITY: How does this impact an enterprise’s liability?

Richards: When a buyer is acquiring a company, they are gaining all of the seller’s data or digital assets such as customer data and business plans.  They are also, unless specifically excluded, inheriting third-party relationships with service level expectations, customer privacy covenants and regulatory compliance requirements.

Each of these could carry financial and reputation exposures.

 

SECURITY: Do these threats extend to supply chain cybersecurity risk management?

Richards: Organizations should look at the supply chain of acquisition targets with the same lens that they should look at themselves. With the rise of cloud computing and strategic outsourced relationships, growing portions of critical business functions are being provided by third-parties.  Companies should stress-test their own security and should expect and require their suppliers to do the same – move beyond simple vulnerability scanning and truly pressure test their cybersecurity capabilities with Adversary Simulation (Red Team) as well as invest in emerging security technologies to outmaneuver their attackers.

 

SECURITY: What steps should companies take to complete due diligence when researching an M&A option?

Richards: As part of M&A due diligence, cybersecurity has been traditionally under emphasized – focusing more on the technical and tactical implementation of connecting the merging organization’s infrastructures and a review of recent security audit reports

There are a few foundational steps that can be taken to better inform business leaders:

  1. Allow more time to perform cybersecurity activities within the due diligence exercise.
  2. Perform an independent cybersecurity assessment and penetration test of the target environment to better understand its current capabilities.
  3. Review the inventory of the cybersecurity products and technologies to understand organizational technology differences and to inform the integration budget process and “Day 1” activities.
  4. Review the third-party relationship inventory, data sharing agreements and corresponding risk assessments.
  5. Perform a “Dark Web” style investigation to determine if key assets, intellectual property involved in the acquisition, user information or key credentials are already inadvertently disclosed.  Also, use this effort to attempt to identify potential infiltration to the target enterprise (for example, botnets).
  6. Research breach databases for recent disclosures.
  7. If applicable, review past breaches with an emphasis on remediation activity progress, as well as reviewing any ongoing obligations to any affected parties.

 

SECURITY: With whom should a security executive work, internally or externally, to get a better picture of the other company?

Richards: With respect to attempting to assess the financial risk of an acquisition or merger, there are a number of base metrics that have historically been used to help model the potential return on investment (ROI) and overall financial risk.  Unfortunately, with regard to technology and cyber risk, there has been no standard framework or approach.

In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that "cybersecurity at our organization is a board-level concern and supported by our highest-level executives."

The CEO and corporate board of director members need to better understand this emerging risk area.   With proper engagement, CISOs can provide a significant benefit to the overall M&A due diligence process by helping characterize cyber risk within a transaction. 

KEYWORDS: cyber risk management data breach third-party security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cybersecurity
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

2025 Security Benchmark banner

Events

September 29, 2025

Global Security Exchange (GSX)

 

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Cybersecurity Leadership Images

    Q&A: How Can SMBs Keep Up with Cybersecurity Risks?

    See More
  • SEC1218-career-Feat-slide1_900px

    Career Survival: Mergers & Acquisitions

    See More
  • computer

    How to mitigate critical cyber risks in a post-COVID-19 environment

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • 9780128147948.jpg

    Effective Security Management, 7th Edition

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing