By Colin O’Donnell
M&A Director
o.216-573-6000 x 8100
Conducting due diligence of a potential acquisition is essential. But even the most experienced teams can neglect executing a proper assessment of a company’s most essential components: data protection and cybersecurity. A company’s cybersecurity profile is one of the core indicators of its value and every bit as crucial as its financial profile. According to IBM’s 2022 Cost of a Data Breach report, 83 percent of companies worldwide have experienced at least one data breach. U.S.-based companies tend to lose the most money from data breaches, an average of $9.44 million per incident compared with the global average of $4.35 million.
The IBM study reports that stolen or compromised credentials are the most common cause of a data breach and take the longest time to identify—327 days. In other words, it takes almost a year after a data breach occurs for anyone inside the company to become aware of it. Cybercriminals can go undetected and take control of trade secrets, customers’ personal data, and information about vendors and employees. They can then insert ransomware, viruses, worms, or other malware into the system to cripple business operations.
Here are the top ways cybercriminals gain access to a company’s data:
-
- Phishing attacks where employees receive email messages, phone calls, or text messages from imposters, asking for information that will open the way for transmission of a virus or malware
-
- Vulnerabilities in third-party software or the company’s email system
-
- Stolen or compromised employee credentials
-
- Inside jobs carried out by employees or contractors, either deliberately or through negligence
Companies can guard against each of these scenarios. Any company looking to be acquired should create both a plan for addressing these vulnerabilities and a plan for addressing breaches that do occur.
How to protect against data breaches
1. Cybersecurity Risk Analysis
Before you begin to consider acquiring a company, you should have a team in place to define a clear process for hiring and using security experts. The process is too important to be handled solely by the Chief Data Officer (CDO) and in-house IT staff. Ideally, the CDO should collaborate with a cybersecurity consulting firm.
Contact Gertsburg Licata to find the right cybersecurity team
2. Conduct a Risk Profile of the Acquisition Target
The risk analysis of a prospective acquisition should start by assessing the target business’s IT infrastructure and its technology interfaces with third parties. For example, knowledge-based industries (pharmaceuticals, health biotech, telecommunications, information technology, software, medical equipment, and avionics), tend to lose the most money from breaches.
3. Conduct a Social Media Analysis of the Target Company’s Website and Employee Accounts
A company’s individual employees can inadvertently become targets for hackers, viruses and malware, and cybercrime through their non-work-related internet habits. This often happens off-site when an employee uses a home computer without proper protection. Even with multi-step authentication in place, hackers are constantly devising ways to get around security.
Potential buyers should look at what control procedures the target company has in place for employee vulnerabilities, and assess risks from part-time vendors or contractors as well. As the saying goes, a chain is only as strong as its weakest link.
When a major movie studio was preparing for the release of a multi-million dollar superhero movie a few years ago, hackers broke into the IT of the small post-production editing company that had been hired to finalize the sound, threatening to upload the movie to the web unless they were paid a large sum of money. A subsequent investigation showed the editing company’s cybersecurity system was out of date. The hacker had found the vulnerability by scouring the dark web for all business entities connected with the upcoming movie.
4. Understand the Company’s Risk Profile
Certain industries (such as biotech) are inherently high-risk cybercrime targets and should be expected to have the most elaborate protection in place. The committee conducting due diligence for an acquisition should assess the business’ risk profile by asking to see the results of the target company’s most comprehensive information-security risk assessment, and finding out what steps were taken to reduce the risks the assessment uncovered.
5. Consider Legal Requirements
The prospective buyer’s due-diligence team should understand what regulations the target company is required to follow, and which officer is responsible for dealing with regulatory bodies. It should also find out what security certifications or attestations the company is required to maintain.
Find out if the organization has paid any federal fines, if it is under a current FTC consent order for security breaches, or if it has received warnings or fines from any other regulatory body. Ask about any new cybersecurity laws and regulations that may be coming into effect in the near future.
Of course, all these steps are equally necessary for any company hoping to merge with or be absorbed into another. Even if there are no current plans for M&A, an up-to-date cybersecurity program is an essential part of a company’s business continuity plan.
Cybersecurity is Constantly Evolving
The field of cybersecurity is evolving as fast as cybercrime, which becomes more innovative and sophisticated every day. To protect itself, any company with substantial assets needs to implement and continually update cybersecurity protection criteria for its acquisition targets that are every bit as painstaking as its financial criteria.
Colin O’Donnell is Director of Mergers & Acquisitions for Gertsburg Licata Acquisitions. He can be reached at [email protected] or (216) 573-6000 x 8100.
Disclaimer: Note that Gertsburg Licata Co., LPA (the “Firm”) is a law firm. Although Gertsburg Licata Acquisitions and Gertsburg Licata Talent are affiliates of the Firm, they are NOT law firms and neither they nor their representatives can provide you with legal advice. Nothing in this website should be deemed as soliciting any legal business by the law firm or any attorney in it, nor as an advertisement of legal services to individuals who have no prior relationship with the law firm or its attorneys. No legal advice will be given except by an attorney, after an engagement letter with the law firm is executed, or in anticipation thereof after speaking with an attorney. If applicable, then to the extent required by Rule 7.3 of the Ohio Rules of Professional Conduct, please note that parts of this document may contain ADVERTISING MATERIAL.
