Why Cybersecurity Due Diligence is Critical When Selling a Business

By David Hansen, CPA, CISSP, QSA, CISA on October 17, 2022

Stay up to date

Back to main Blog
David Hansen, CPA, CISSP, QSA, CISA

Director | Risk Advisory Services


Is cybersecurity worth the investment?

So you’ve decided to sell your business. What’s next? 

First, the buyer will want assurance that the investment is likely to pay off, perhaps even yield a higher-than-expected return. So wanting evidence that your financial health, legal standing, and industry reputation are stellar is to be expected. As such, due diligence will be performed. Naturally, a contingent of consultants will be retained to assess the target and advise on the value of the acquisition. 

The Value of a Strong Bench in M&A Transactions

You, too, will need a team. In addition to assessing the worth of the organization, retained accountants will prove your financial performance is sound and a legal team will review contracts to make sure there are no strings to hold back a profitable transaction.

Yet there is often an overlooked strategic partner whose participation may impact the value the acquirer places on your company and on the way it may structure the deal. A thorough analysis of technology by a team of cybersecurity experts can ease uncertainty about value and reputation. 

At Freed Maxick, we have a dedicated team of cybersecurity professionals who provide detailed insights, meticulous analysis, unbiased perspective, and more effective solutions. Our professionals bring trustworthy skills, knowledge, and expertise to protect people, organizations, and reputations from potential theft, exploitation, and long-term damage. 

The Impact of a Cyberattack on Business Valuation and M&A

Nothing threatens a potential M&A opportunity more than a cyberattack. A study by Gartner, “Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem,” found that 88% of respondents viewed “cybersecurity-related risk as a business risk, not just a technology risk.” And while many think larger companies are more lucrative to criminals, small and medium-sized businesses (SMBs) are easier targets as they lack the appropriate security and are more apt to pay ransom quickly to avoid costly business disruption. 

An article on AmericanBar.org affirms: “Omitting cybersecurity assessments in M&A due diligence, conducting superficial evaluations, or limiting such due diligence to a company’s IT systems rather than treating cybersecurity as a risk category in its own right means ignoring the serious risks that cyber threats pose to all companies and to M&A deals involving them.” 

Is Cybersecurity a Good Investment?

“Most companies have yet to reach the advanced levels of cybersecurity management demanded by today’s business environment,” so due diligence of every aspect of an organization’s technology is critical. Most of the investigation is very technical in nature, like conducting penetration testing, and issues are more often than not uncovered.

For example, we recently completed a deal with a client attempting to sell to a private equity firm (PE). As part of the due diligence process, the PE did a code review and discovered old, unsupported software libraries being used. Old libraries could cause vulnerabilities in the future, impact the ability to update other components of the software, limit the ability to scale software, and more. Needless to say, the seller needed to invest resources to upgrade the codebase before the acquisition closed.  

State of Readiness for an M&A Transaction

Preparation is key to a more seamless M&A experience. Listed here are suggested cybersecurity due diligence questions to answer prior to the acquirer’s review of your company:

History: Have there been past data breaches? Are there known vulnerabilities? 

Budget: How much is spent annually on IT, and what percentage is dedicated to security? What is the maintenance budget?

Assets: Is intellectual property (IP) protected? Do you have cyber insurance to protect those assets?

Use: How secure are any Internet-facing web applications? Are those systems maintained, monitored, and assessed periodically? How are transactions conducted and if sensitive customer data is obtained, is it protected? Are industry regulations being adhered to?

Accountability: Is technology (updates, upgrades, etc.) reliant on one person? What does the IT organizational chart look like? Are there defined roles and responsibilities? What is the level of reliance on people and who is critical in their position — is there a single point of failure if they leave? What about IT oversight and governance throughout the organization?

Culture: How reliant is the organization on technology? Are the employees tech-savvy and are they open to change? How accepting of new technology is the leadership? What kind of training is provided? How frequently? Is the company security-minded — are employees cognizant of security protocols (i.e. passwords)?

Security: How prevalent is privileged access, or does the company subscribe to the Principle of Least Privilege access? Is access role-based? Does employee access get immediately removed upon termination? Are logging and monitoring systems deployed across the network and critical applications? What measures are in place to reduce risks of compromise, like vulnerability scanning, network defenses and end-user education?

Vendors: Who are they and what are they responsible for (web hosting, software)? How critical are third-parties to run the company day-to-day? Is the relationship monitored? Is there a point person for issues or do they contact a help desk with multiple representatives? Has the contract been reviewed and are formal Service Level Agreements in place?

Equipment: Is there an inventory of physical, digital, data assets? What is the age of the equipment? How frequently is it serviced? What do you own, lease, subscribe to?

Data: What types of data are being maintained? Is anything sensitive? How is it protected? Are analytics used, dashboards available, and KPIs identified? How/how often is data backed up? 

Applications: What software systems are currently being used? Are ERP and CRM systems critical to the organization? How are they supported? What communication platforms does the organization engage? For tools like email, what security is in place? Does the organization utilize the cloud?

Maintaining Your Business Value

A cyberattack can very quickly bring down the value of your company, compromise your reputation, and erode customer trust. And the cost to remediate could be damaging to business sustainability. Whether you are preparing your company for a sale now or plan to do so in the future, don’t overlook the fact that a sophisticated buyer will evaluate all of your technology and its related security. Remember that regardless of who is “in charge” of IT and security, accountability resides in the C-Suite.

Taking Cybersecurity Preventative Action Prior to Selling a Business

If you are considering selling your company and want to talk about the smartest way to safeguard your digital assets, contact David Hansen, Director of Risk Advisory Services, for a complimentary consultation. He can be reached directly at 585-360-1481 or david.hansen@FreedMaxick.com.

Stay up to date