Even though cybersecurity considerations have become part of the mergers and acquisitions (M&A) process, data breaches remain commonplace at acquired companies, raising suspicions that cybersecurity doesn’t get as much attention as it should, according to a recent TechCrunch article.
“The fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats,” the article says.
The author makes it a point to mention that “past or potential cyber threats are no longer ignored in the due diligence process,” but stresses that pressures associated with the M&A process result in overlooking cybersecurity concerns. Buyers typically are given three to six weeks to decide whether to bid on a company, leaving them little time to consider cybersecurity issues.
Instead, acquirers tend to focus on more traditional due diligence considerations such as valuation, accounting practices, debt and synergies between the acquiring and selling company.
These are all important factors, of course, but neglecting a company’s cybersecurity practices can have serious consequences. If weak cybersecurity practices surface after an M&A deal is completed, the acquiring company is likely to end up owning the liability for any potential breaches.
It Matters
The TechCrunch article argues for the inclusion of cybersecurity, and we may already be seeing this trend in the right direction. (ISC)² conducted a study in 2019 showing that security considerations have indeed become a major influencer in M&A deals.
