Mergers and acquisitions give organizations the potential to increase capabilities, diversify offerings and expand market share, but they also present considerable risks. And while companies usually review financial, strategic, legal and operational details before completing an M&A transaction, another important concern is often overlooked: cybersecurity.

When organizations don’t complete a detailed cyber evaluation of target companies before a merger or acquisition, it creates an unnecessary risk – one that can result in significant financial and legal challenges. A data breach could not only threaten a company’s business assets and functions, but also could lower its profits, market value and brand reputation.

Why is cybersecurity due diligence important?

Conducting cybersecurity due diligence before a merger or acquisition helps companies accurately assess risk before taking on liability, as well as identify any issues that might warrant restructuring the agreement.

Before integrating its network with a target company’s, an organization should identify the IT assets, systems, software, websites and applications, whether proprietary or third party, and how that company’s data or personal information (PI) is stored or processed.

Additionally, for businesses to collect, store or process non-U.S. workforce, customer or consumer data, it is important to understand if that data is generated by, stored in, or exported to personnel or servers located in other countries or U.S. jurisdictions. This data may be subject to multiple jurisdictions’ laws, and other regulations might govern whether and how data can be transferred across borders post-merger.

Cybersecurity due diligence: key questions and considerations

From networks and systems to cyber evaluation to data incidents, there are many considerations that should be part of an acquiring company’s due diligence. The following questions may prove helpful in examining these complex issues.

Networks and systems

• Can documentation or information be provided about the target company’s network and system architecture and data flows, including the use of cloud providers and third-party applications?
• Do any of the target company’s systems store any information that can be connected to a specific person? What about sensitive personal information such as social security and driver’s license numbers, credit/debit card information, health details, and usernames/passwords?
• If yes, what security controls are in place to protect this information (e.g., multi-factor authentication or access controls)?
• Does the target company have an on-premise server or use cloud storage for sensitive personal information? Are these servers (whether onsite or off) owned and operated by the target company itself and its employees, or are they contracted from third party service providers? If the latter, what are the service providers’ answers to these questions?
• Does the target company use any legacy applications or providers for critical functions that are subject to long-term contracts or that would be difficult to port to an alternative platform?

Cybersecurity

• What types of privacy/cybersecurity risks does the target company face given its industry sector, considering the geographic reach and the nature of the products or services that it manufactures, develops or provides?
• Has the target company conducted any privacy impact assessments, vulnerability scans, penetration tests or SOC audits in the last 24 months?
• Has the target company experienced any cybersecurity events, including data breaches or ransomware attacks? If so, how did it respond?
• Does the target company have any internal reports on cybersecurity events, reports from external forensics or law firms, or any other evaluation, impact assessment or questionnaire?
• Does the target company have a written information security program/policy, business continuity plan or incident response plan? 
• What kinds of educational and/or training programs does the target company have in place to educate its workforce about the importance of cybersecurity and improve its resistance to cyber incidents?

Data incidents and complaints

• Have there been any incidents of unauthorized access to or misuse, modification, exfiltration or disruption of the target company’s information systems or proprietary technology systems, including any data stored on those systems?
• If so, have these matters been remediated?
• Has the target company assessed its data breach notification obligations?
• Has the company ever reported a data privacy incident to any regulator, governmental agency or other third party?

Although these considerations can be time-consuming, it’s important that businesses complete their cybersecurity due diligence before any merger exists. Cyberattacks continue to increase in frequency and severity, and a data breach can be devastating to any organization.

To help businesses of all sizes stay prepared, CNA offers a market-leading suite of cyber insurance products and risk control resources. Our Underwriting and Risk Control professionals offer tailored, industry-specific coverages and provide the tools and resources needed to help understand exposures and address potential losses.

For more information, visit our Cyber Insurance page.