top of page
  • louayghashash

The Role of Cyber Security in M&A Process

Executive Summary

While Mergers and Acquisitions already involve completing many types of reviews before, during, and after the Due Diligence (DD) phase to measure and ascertain the level of risk that impacts the decision-making process, Cyber security is often missing from the process. The evolving cyber threat and breaches make this consideration not only important but vital to the entire process. In this article, we review why conducting a cyber security review is important across the M&A and how important it is to keep a close eye on Cyber Risks in each of every stage; before, during, and after the M&A transition process.

The Importance of Cyber Security in M&A

Businesses are increasingly focusing on cybersecurity in mergers and acquisitions. But what would happen if they didn’t? the target organisation may discover many issues and dormant threats that require large remediation work to bring it to the acquiring organisation’s level. In other instances, the target business may already have Advanced and Persistent Threat (APT) actors already inside their network.

M&A security assessment includes:

  • Review the Security Posture of the target organisation and compare it with the acquiring organisation.

  • Review any immediate security issues facing the target organisation.

  • Review any sign of data breach or Advanced Persistent Threat (APT) that may be lurking.

  • Review the target organisation’s security practices in accordance with one of the best practices frameworks (NIST or ISO)

Once all issues and vulnerabilities are known, we create a roadmap to remediate them, we provide a rough order of magnitude (ROM) of cost including any missing products and technology.

This includes:

  • Provide ROM costing of uplifting security posture and addressing cyber risk

  • Provide indicative and reasonable timelines to address these issues and break down these into 0-3 months, 3-6 months, and 6–12 months initiatives.

  • Provide a roadmap from the sign-off until the full integration.

Good cybersecurity benefits both sides of the M&A process. A robust framework and maturity can make a target firm more attractive, and cybersecurity best practices on both ends make for a smoother, more secure transition period.

Stages of security in the M&A:

  • Before the Non-Executive and indicative Offer NBIO

  • During the Due Diligence (DD) phase

  • After the Sales contract

  • Pre and Post Closure and

  • During the time leading to the integration

Our approach to Cyber Security in M&A

Different stages of M&A carry different risks; in order to approach the various risk of the process correctly and accurately and provide both acquiring and acquired firms with a good realistic approach to the risk, we approach M&A by assessing the posture of the acquiring organisation and compare it with that of the target organisation or business. Our team has successfully assisted in a number of successful and failed M&A in various stages of the process. We have developed a methodology that provides both parties with visibility on the cyber security issues facing the M&A Process. We approach the process differently depending on the stage of the M&A;

Before the NBIO

When the acquiring firm starts shopping around for target business(s), they need to know that the target business does not have any large breaches or issues. Before entering into a discussion, the acquiring firm should know roughly any obvious gaping holes that may exist. This is particularly important for regulated industries, but it is essential across all industries and M&A

With that in mind, our team conducts a fully passive and non-intrusive search on the target organisation in the surface, deep and dark web.

Some of the objectives our team searches for are (but not limited to)

  1. Has there been any past breach or data leak that impacted the target business?

  2. How good or bad their security posture looks from the internet?

  3. Do any of their public Point of Presence has any security vulnerability

  4. Have they configured their firewall/perimeter to expose only secure ports and services

  5. Is there any PII or IP data for sale for the target business?

  6. Are there any indications to point out a good or bad security posture or practice?

To achieve the above our team has developed a methodology that we can complete quite swiftly to achieve the above objectives without raising any attention or alert to the search conducted. This is usually quick and short work that we can conclude within one to two days of search and give a good indication of the outside posture. While this is not comprehensive, it usually provides a good indication.

At the end of the day, if your house's front door is broken and wide open, most likely there are already people inside your house lurking around.

The outcome of our review assists acquiring business in:

  • Understand the outside posture.

  • Mandate that a certain action/review should be done before NBIO

  • Mandate that a certain review should take place during the DD process.

Note that some risk is acceptable, depending on how impactful those risks are on the business. The acquiring firm must determine its risk tolerance and identify whether acquiring the target firm falls within those acceptable limits.

The acquirer should perform a detailed risk assessment to understand the risk of acquiring the target company. The assessment will provide information on the potential impact of risks and vulnerabilities and how they might be mitigated.

During the Due Diligence Process

Once the acquirer business presents a non-binding and indicative offer (NBIO), both parties want to complete the merger or acquisition quickly, proper security assessments at this stage are a vital part of cybersecurity due diligence.

To effect the necessary security controls promptly and ensure the safety of the acquiring organisation, firms typically lean on our cybersecurity teams in M&A transactions to help. Discovering an undisclosed data breach during these security assessments is a major issue as it calls the integrity of the business into question and exposes the potential acquirer to reputational damage and unforeseen security problems. In addition to the previous assessment that was completed during the previous stage, our team usually

  • Complete targeted testing to the core jewel of the target organisation or Red team to understand further wider vulnerabilities or issues that may exist.

  • Complete an internal and cloud base security assessment against the company’s infrastructure and cloud assets and workload

  • Complete a best practice review aligned with the NIST framework

  • Once the above is completed, we can provide both organisations with a good idea of the issues that exist, after the assessment, our team:

  • Create a roadmap with initiatives and duration needed to address the detected issues

  • Provide a budgetary estimate to address the detected issues

  • Provide the acquiring organisation with an overall rating of the detected issues and findings

This information, alongside budgetary estimation, is essential details that will assist the acquiring business to understand not only the issue but priorities and the cost to remediate. Sometimes we found that these budgetary numbers are included in the negotiation between both companies.


While most of the assessment is done, however before the Sales contract is signed, our team usually provides our vCISO resource to assist in program-manage the roadmap and address the critical issues that must be addressed

Post Closure

After the closure of the deal, our team will keep our vCISO resource to assist in delivering and executing the roadmap created in the DD process.


As the two organisations started aligning their security posture post-acquisition phase, it’s essential to continue monitoring the progress of the program. During the acquisition process, monitoring of security progress should be around-the-clock. Our vCISO will ensure that the target firm’s cybersecurity meets the buying firm’s requirements.

Final Thoughts

Businesses nowadays realise that getting Cyber security assessment correct and ready is an essential step during all phases in the DD process and will ensure that the M&A process progressed smoothly.

If you are going through a growth phase and considering a Merger or Acquisition? Get in touch with our team

21 views0 comments


bottom of page