For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but there wasn’t a whole lot of care or thought put into it.
But this status quo process is no longer enough. History has shown that a lack of due diligence on cybersecurity during the acquisition process can be devastating to the acquiring organization. Luckily, there are tools available like BitSight Security Ratings for Mergers & Acquisitions that can help you understand the true cybersecurity posture of your acquisition. Below is an information security due diligence checklist, highlighting the four reasons you should consider using BitSight Security ratings before, during, and after any merger or acquisition.
4 Reasons To Use Security Ratings Before Your Next Acquisition
1. It saves you money in the immediate future.
You likely remember the newsworthy fiasco between Verizon and Yahoo: While Verizon was finalizing a deal to purchase Yahoo, Yahoo disclosed a major data breach. This news impacted the purchase price to the tune of $350 million. A detailed history of security issues at Yahoo emerged even after the deal was finalized.
Companies that conduct thorough due diligence of the security posture of acquisition targets using BitSight Security Ratings review historical security data and can use that information to structure M&A deals. If their acquisition target has a long or constant history of security issues they may be able to negotiate a lower sale price to counteract potential cyber risks. More importantly, acquiring companies may also be able to help targets improve their cybersecurity posture, thereby reducing the level of risk incurred as a result of the transaction.
2. It saves you money in the long term.
While some companies have been breached during a merger or acquisition transaction, others have been breached well after the deal has gone through. A prime example is TripAdvisor’s 2014 purchase of Viator, a tour-booking company. Just a few weeks after the completed transaction, Viator’s payment card service provider announced that unauthorized charges occurred on many of its customers’ credit cards. The breach affected 1.4 million users and led to a four percent drop in TripAdvisor’s stock when the news broke.
BitSight can help here as well. Security Ratings are correlated to the likelihood of a breach, so if the rating of an acquisition target indicates they are at risk for a future cyber attack, that risk is inherited by the acquiring company as part of the deal.
3. It aids collaboration between the acquiring company and their target.
Since acquiring companies inherit the digital footprint of organizations they buy, security and risk departments at both organizations need to have a simple and effective way to collaborate. Here is how BitSight Security Ratings can help with this process:
- BitSight customers can invite any target company to take a look at their own digital infrastructure and security posture free of charge.
- Target companies can then use BitSight to review their own digital infrastructure, including any owned IP addresses and domains. This is a very important step as many companies often own IP space they may not have accounted for. The acquiring organization needs to know precisely what is being consolidated if the acquisition goes through, because once the deal is finalized, the acquiring company has a much larger attack surface—so they must be aware if there are any infections or issues so they can monitor adequately going forward.
4. It gives you a competitive business advantage.
Today, cybersecurity is a business differentiator, and BitSight customers who have a good Security Rating may use it as a selling point. For example, a highly-rated law firm would be considered more trustworthy. The same idea can be applied to acquisitions. Acquiring a company with a good security posture could be a strategic move, as it could either reinforce or enhance your company’s own security posture and strategy.
Using BitSight Security Ratings to continuously monitor your acquisition before, during, and after an M&A deal is a critical step. Without this deep look at your target’s security posture, you could end up acquiring vulnerabilities that could cause major damage if exploited.
For more information about BitSight Security Ratings for Mergers & Acquisitions, download this free data sheet. It will explain why objective measurements are critical in this process, details on the data-driven analysis of security performance, and key benefits of using BitSight.