Why Cybersecurity Due Diligence is a Critical Consideration Ahead of a Business Acquisition

By David Hansen, CPA, CISSP, QSA, CISA on October 10, 2022

Stay up to date

Back to main Blog
David Hansen, CPA, CISSP, QSA, CISA

Director | Risk Advisory Services


Buying a company requires a comprehensive cyber assessment

When an organization is ready to add locations, grow competencies, or simply enhance its services offered or products made, there is a chance that it will purchase an existing business to achieve its desired outcome. Let’s assume you’re expanding into a new market, you’ve investigated whether it’s easier to start organically or acquire an existing company, and the latter is your best option.

Evaluating technology is critical to a successful merger. And as tempting as it may be to put off a cybersecurity review until after the transaction, there is a high probability that the target organization has vulnerabilities and weaknesses that may jeopardize its short-term sustainability and your long-term success.

Threats to Technology for SMBs

Small and medium-sized businesses (SMBs) are most vulnerable as they “have fewer resources and staffing to prepare for, defend against and recover from attacks, sometimes with devastating consequences.” These attacks come not only from hackers utilizing common, known attack vectors, like ransomware and phishing, but also from more sophisticated methods that include automation, machine learning, and artificial intelligence (AI). 

Significant risk is created by employees and vendors. According to the IBM Cyber Security Intelligence Index Report, 95% of cybersecurity breaches are primarily (and, for the most part, unintentionally) caused by human error and many of those are caused by something as simple as weak passwords. Vendor software and services, such as payroll, are not always as secure as they should be creating opportunities for easy penetration into an organization.

Investment in Cybersecurity is an Investment in Viability 

In addition to engaging accounting and legal counsel, retaining a knowledgeable cybersecurity team for due diligence is another strategy for uncovering risks and protecting your investment. While many individuals and organizations possess the knowledge to assess technology at an attractive price point, engaging a specialist that not only focuses on cybersecurity, but also considers the broader implications to the buyer, ensuring a detailed, meticulous analysis covers additional facets such as intellectual property, IT operations, and compliance.

These experts seek insights that could be imperative for making the right acquisition. The professionals at Freed Maxick Cybersecurity bring trustworthy skills, vast experience, a depth of specialty expertise to protect your people, organization, and reputation from long-term damage. Our team reviews assets and data seeking structural flaws, potential breaches, and other inherent risks in the architecture. We review processes, policies, and operations to identify strengths and weaknesses. We also develop the best plan for establishing mutual standards and for merging collective technology (software, equipment, vendors) post transaction.

A Cybersecurity Risk Management Checklist for Transactions

A thorough examination can help eliminate the possibility of exposure by identifying defective or faulty safeguards to update, upgrade, and secure your technology. While it will get quite technical, the top-line cybersecurity inspection items should include:

Assets: Is intellectual property (IP) protected? How specialized is it and how is it supported? What data is there that a thief could want?

Use: If there are e-commerce and web applications involved, how secure are they? Are Internet-facing systems adequately maintained and do they use strong cryptography? How are transactions conducted and if sensitive customer data is obtained, is it protected? Are industry regulations being adhered to?

Accountability: Is technology (updates, upgrades, etc.) reliant on one person? What does the IT organizational chart look like? Are there defined roles and responsibilities? What is the level of reliance on people and who is critical in their position — is there a single point of failure if they leave? What about IT oversight and governance throughout the organization?

Culture: How reliant is the organization on technology? Are the employees tech-savvy and are they open to change? How accepting of new technology is the leadership? What kind of training is provided? How frequently? Is the company security-minded; are employees cognizant of security protocols (i.e. passwords)?

Security: How prevalent is privileged access, or does the company subscribe to the Principle of Least Privilege access? Is access role-based? Does employee access get immediately removed upon termination? Are logging and monitoring systems deployed across the network and critical applications? What measures are in place to reduce risks of compromise, like vulnerability scanning, network defenses and end-user education?

Vendors: Who are they and what are they responsible for (web hosting, software)? How critical are third-parties to run the company day-to-day? Is the relationship monitored? Is there a point person for issues or do they contact a help desk with multiple representatives? Has the contract been reviewed and are formal Service Level Agreements in place?

Equipment: Is there an inventory of physical, digital, data assets? What is the age of the equipment? How frequently is it serviced? What needs to be replaced, updated, and/or upgraded? Is there anything that’s been neglected? What is the budget for maintaining the architecture? What are the organization’s top five (5) tech needs? What software, if purchased and installed, would be most helpful to the business?

Data: What data is accessible? Is there anything sensitive? Is Personally Identifiable Information (PII) confidential? If so, how is it protected? What analytics are used? Are dashboards available and KPIs identified? How and how often is data backed up? 

Applications: What software systems are currently being used? Are ERP and CRM systems critical to the organization? How are they supported?  What communication platforms does the organization engage? For tools like email, what security is in place? Does the organization utilize the cloud?

Cyber Insurance: Is there any? Who is it with? What does the policy cover?

Finally, in the event of a crisis or disaster, is there a business continuity plan and is technology significantly represented? How frequently is it revisited and updated?

Cybersecurity Due Diligence: Buyer Beware

The Freed Maxick Cybersecurity team completed a security-focused due diligence assessment for a manufacturer. We identified several security risks and provided respective solutions. The client elected to do nothing with the information we uncovered. Two months post-close, the entity was hit with a ransomware attack and was offline for several weeks, resulting in $5 million in losses.

Technology has a massive bottom line implication for many organizations. Neglecting a thorough cybersecurity review of a company being acquired and not implementing respective safeguards to protect it are expensive risks you don’t want to take. 

Cybersecurity in M&A: Purchasing a Company?

Need help assessing the security of a business? Contact David Hansen, Director of Risk Advisory Services, for a complimentary 30-minute consultation. He can be reached directly at 585-360-1481 or david.hansen@FreedMaxick.com.

Stay up to date