Cyber Security: How is it Significant for Merger and Acquisitions

Shivani Jain
| Updated: Apr 15, 2020 | Category: SEBI Advisory

In the process of due diligence that precedes a merger or an acquisition, it is essential to take account of the target company’s strengths and assets, along with their weaknesses and liabilities. Among the several liabilities that the acquiring companies need to review and analysis, the most significant are the amount of financial debt, poor revenue streams, and any complex legal activities. One of the biggest liabilities that the acquiring companies need to ponder on is how well the target company copes its cybersecurity. Hence, the concept of cybersecurity has evolved as a key risk factor all through the process of due diligence of any merger and acquisition.

Nowadays, modern businesses rely profoundly on computer network systems and digital data. Hence, the quality of these systems often equates to the quality of operations. Further, all the companies must have plans to detect and identify cyber risks and also have a strong risk management plan in place. Furthermore, these plans offer a greater level of assurance to the acquiring company that the concerned target company has done its best in order to prevent a cyberattack.

Concept of Cyber Due Diligence

The Cyber Due Diligence is a process that discloses a variety of cyber-related strategic deal issues, operational risks and hidden costs before investing in a business. Further, the process of cyber due diligence affords new insights to detect bad debts, reducing risk to the investor’s capital, while offering deal teams a competitive advantage to enhance returns.

Further, executing deals without going through the process of Cyber Due Diligence puts unnecessary risk on the investment capital and future returns. However, still there many investors and fund managers who are unaware of the specific CyberRisks on Merger and Acquisitions and how they impact a broad range of business operating models, and not just the high-tech and data-heavy.

How significant is Cybersecurity in a Merger or Acquisition? 

The process of mergers and acquisitions ostensibly involves a deep breakdown of a company’s balance sheet, market share, and all other important organizational factors that can either make or break a deal. Together with the important organizational and financial metrics involved in these deals, there is one more metric that is now just as significant as financial metrics. The name of the said metrics is cybersecurity.

As we know that, when acquiring a company, the purchasing corporation is also acquiring the cybersecurity program and the cyber risks associated with that said company. Any unexpected cybersecurity issues appearing in the M&A process is not good for executives and all personnel involved in that said process. 

Further, as per the recent study conducted by the Forescout Technologies over 2,500business decision-makers and information technology, 53 per cent of personnel stated that critical cybersecurity issues or incidents easily jeopardized M&A deals.

Furthermore, according to a study conducted by ISC2 on 250 merger and acquisition experts, cybersecurity is a tangible asset of a company as the cybersecurity position of an acquisition target is one of the main concerns that are nowadays acquiring companies take into consideration when seeking to make an acquisition deal. Around 96 per cent of them said they consider a robust cybersecurity program to be a key factor in assessing the value of a concerned company. Also, less than half of those who answered the survey said that they had seen a merger or acquisition deal fall through due to cybersecurity issues. Moreover, according to a survey conducted in 2016 by the NYSE Governance services, companies that revealed a major vulnerability considered passing on the deal.

Nowadays, companies do have good reasons to be worried about cybersecurity protection. As around 52 per cent of those surveyed stated that the share price of a publicly-traded company dropped after it was acquired and later on experienced a data breach. For example- After the acquisition of Yahoo, two massive data breaches were discovered in the previous years, the acquiring company, Verizon, decreased the value of the acquisition by $350 million.

Further, all of the survey takers decided that during acquisition cybersecurity audits must be considered as a standard part of the due diligence process as the findings from the audit have a great pact of impact on the outcome of an acquisition.

Also, about 77 per cent of the experts stated that they would suggest one target acquisition over another only on the basis of the strength of their cybersecurity program. Also, a little over half of the experts said that they recognize a weak cybersecurity program to be a liability or obligation that would directly decrease the value of a company they saw for acquisition.

Experts of Merger and acquisition agrees that the presence of a cybersecurity program counts and the quality of the said program count even more as the companies that are eager to make a financial investment in human resources and technology would be more likely to be regarded as not being much of a liability.

Further, companies can take specific steps in order to maintain or increase their worth. These specific positive steps from which companies can substantiate their value may include security awareness training programs, good risk management policies and promoting a culture of cybersecurity. Hence, mature cybersecurity programs bring value to an acquisition deal.

Furthermore, during the course of an acquisition, the concerned acquiring company must be looking at how companies store and preserve their electronic information and also how they protect it. Moreover, the analysis of cybersecurity should include electronic records, cyber issues, and the infrastructure of the network. The reason behind this is that that the data serves as a pointer of the viability of the said company and it provides the buyers’ transparency and clarity into existing vulnerabilities and also signals them around the potential security problems. The findings from the said cybersecurity analysis can also be used to assess the company and its structure in a fair lucrative deal.

Hence, a proactive approach to cybersecurity is the way forward for companies looking to take benefit of future Merger and Acquisition activities.

Cyber Risks on Merger and Acquisitions

Every merger or acquisition comes with a great degree of risk. Hence, the professionals or the executives who work on mergers and acquisitions need to be as diligent as possible and must try to detect as many red flags as they can.

Further, there is always a chance that a deal of acquisition will uncover noteworthy cybersecurity weaknesses. Furthermore, one of the major concerns is that the target company may lead to vulnerabilities in the acquiring company and also set the stage to take the entire entity down.

Moreover, detecting issues is not yet an exact science, as there are many hidden dangers. Also, the individuals who work on merger and acquisition deals need to be aware of what hidden dangers or perils look like and how to spot them.

Approaching cyber risks can be invisible for long periods. Thus, spotting cybersecurity issues is less about problem-solving after a said incident has happened and more about being vigilant, watchful and proactive. There are possibilities that neither side could spot malware or some other security issue that would devalue a company before the ink dries on the final forms. By the time any problems get discovered, it could be entirely too late.

Further, mistakes in cybersecurity can cost both sides, and the cost might be quite high. For example, – A Target Companyfaced a data breach of the financial information of over 90 million of its customers. But by the end of the deal, the company had lost over $192 million. So, by taking over another enterprise where there has been significant cyber trouble, customers will distrust and disbelief the company, and it could considerably damage the company’s reputation. Therefore, when a company’s reputation has been damaged enough, it can create a situation in which there is a loss of revenue for everyone.


Whether your company is just a notion, or you are in the mid of conversations concerning acquisition right now. The concept of cybersecurity is and will always remain an integral facet of one company. Moreover, establishing and maintaining a cybersecurity program empowers a company to reduce cyber risks throughout its life together with when it matters most, during an acquisition. Hence, it is clear that the process of Merger and Acquisition process will include cybersecurity due diligence.


Related Articles

Company Share Certificate
Dashmeet Kaur
| Date: Mar 21, 2020 | Category: SEBI Advisory

How to Issue a Company Share Certificate?

After completing the incorporation process, Company gets registered under Companies Act, 2013 and issues its shares to raise capital. During allotment of Shares, a Company grants Share Certificate to its...

Read More
Dashmeet Kaur
| Date: Apr 08, 2020 | Category: SEBI Advisory

What is Bonus Share? Procedure to the issue of Bonus Shares

Have you ever wondered what a company does with its accumulated earnings or when its shares price goes up? Often it issues bonus shares to its existing shareholders based on...

Read More
Advantages of Public Issue
Savvy Midha
| Date: Oct 05, 2019 | Category: SEBI Advisory

Advantages and Disadvantages of Public Issue – A Complete Guide

Companies rely on various sources of funds to meet their financial needs for day to day expenses or to meet its working capital requirements. The fund required can be for...

Read More


Hi! My name is Akanksha! Let's talk.