Mergers and acquisitions (M&A) are a regular occurrence in the business world. And while we\u2019re all familiar with concept of due diligence when it comes to judging the financial performance of another company, it\u2019s time for enterprises to start applying that same level of scrutiny to the cybersecurity capabilities of a potential acquisition. A thorough review of an acquisition\u2019s security architecture, processes and policies should be a firm requirement for any M&A process.<\/p>\n
But where should the cybersecurity due diligence process begin? As a CISO, I recommend that companies start by confirming their acquisition target\u2019s past investments in cybersecurity were made in a manner commensurate with the growth of the company.\u00a0 Ask the following:<\/p>\n
Due diligence should be maintained throughout the entire M&A process, particularly before information about the activity goes public. While I don\u2019t have specific numbers, I think it\u2019s safe to assume that\u00a0there have been situations in which a hacker or less than scrupulous employee have hacked an enterprise network in search of material information they could exploit for their own financial gain before news of an M&A became public. The fallout of such activity could be extreme, so\u00a0it\u2019s important that acquirers and those looking to be acquired consider and implement the appropriate cybersecurity controls to ensure proprietary information doesn\u2019t leak.<\/p>\n
The constant stream of security breaches in the news have gained the attention of executive leadership and boards of directors who are now looking to their CSOs\/CISOs to minimize their risk exposure when contemplating major business moves like an M&A.<\/p>\n