Merger and acquisitions due diligence reveals cybersecurity risks

The study found 70% of acquisition targets had compliance issues and nearly half lacked comprehensive data security architectures.

Audits had revealed an abundance of security issues when companies were closely examined by potential acquirers: fully 37% of respondents said they had seen targets prove to be vulnerable to insider threats, with 27% lacking a data-security team and 17% having weak employee password policies.

A third of respondents said they had previously found inadequate mobile security at target companies, while 30% had found problems with local server storage and 20% had issues with vulnerable cloud storage.

Such findings can often have a material impact on the terms of an acquisition, with 20% of respondents saying they would use such findings to negotiate better terms including a lower purchase price.

Reflecting this expanded focus, some 77% of survey respondents said that the importance of security of data at M&A targets had increased dramatically over the past two years. Some 47% of respondents said they used due-diligence findings to start planning for fixes to the problems they identified.

The cost of correcting existing problems after a merger was the most frequently-cited concern about cybersecurity issues, nominated by half of respondents. This compared with 43% who were concerned about potential complications for post-merger integration; 37% worried about frequent or recent data breaches; 37% worried about threats to customer data; and 33% worried about threats to business data.

Respondents flagged a lack of cybersecurity staff as a key issue during M&A deals, with 32% saying not enough qualified staff had been involved in the due-diligence process during recent deals. This had often increased the cost of getting a newly acquired company up to speed, particularly since acquirers inherited both the infrastructure and the risks and potential penalties that would be incurred from an unforeseen security vulnerability.