Forescout's report: "The Role of Cybersecurity in M&A Diligence" reveals the results of its survey of nearly 2,800 IT and business decision-makers involved in or with knowledge of their companies M&A strategy at companies worldwide (17% US | 17% UK) on how their companies are approaching cyber risk in their M&A activities.
Among the many noteworthy findings that should inform companies' consideration of cyber in their M&A strategies:
- 53% of respondents reported their organization having encountered a critical cybersecurity issue or incident during an M&A deal that put the deal in jeopardy.
- 65% of respondents said their companies experienced regrets in doing a deal due to cybersecurity concerns.
- 81% of respondents (84% US) agreed they are putting more of a focus on an M&A target’s cybersecurity posture than in the past.
- Only 36% of respondents strongly agreed that their IT team is given time to review a target company’s cybersecurity standards, processes, and protocols before the acquisition.
- Only 37% of IT decision-makers strongly agreed that their IT team has the skills necessary to conduct a cybersecurity assessment for any given acquisition.
- 73% of respondents agreed that a target company with an undisclosed data breach is an immediate deal-breaker in their company’s M&A strategy.
Forescout's release emphasizes that - among other things - the findings show that company practices vary significantly as to when consider cyber risks are first considered and the duration of that assessment in relation to a particular transaction, prompting this guidance:
It is absolutely critical that the assessment of a target company’s cyber posture and the evaluation of potential vulnerabilities start from the very beginning of the M&A process and continue through integration and post-integration. It’s important to remember that even if the initial evaluation does not find any significant cyber risks, the target company will continue to operate—with current employees, customers, vendors and the connected world at large—throughout the M&A process. And, at any point, the target company’s assets and devices could become vulnerable.
The informative report include numerous sound recommendations for managing cyber risks in the M&A context.
See also White & Williams' "Cybersecurity and Legal Due Diligence Considerations in M&A Transactions," "Cybersecurity Concerns Becoming a Bigger Part of M&A Due Diligence, Survey Shows" from Corporate Counsel, and additional resources on this topic under M&A on our Cybersecurity/Data Privacy page. This post first appeared in the weekly Society Alert!