Cyber diligence: Study reveals cybersecurity concerns are becoming a critical factor in M&A due diligence

By Cameron Abbott and Rebecca Gill

Unreported data breaches have disrupted several major M&A deals in recent years, such as Marriott International’s merger with the Starwood hotel chain. The growing list of cautionary (and costly) tales appears to be making an impression in the M&A space, as a recent study of IT professionals and business executives by Forescout Technologies has found.

The study queried a total of 2,779 respondents from all over the world, and found that 93% of the respondents viewed cybersecurity evaluations as important to their companies’ M&A decision-making processes. Respondents also ranked a target company’s history of cybersecurity incidents as the second most important factor when performing due diligence on the business, following the company’s financial statements.

Interestingly, more than half of the respondents (about 53%) reported that a “critical cybersecurity issue or incident” had jeopardized an M&A deal involving their companies. Sixty-two per cent of the respondents also stated that cyber risk was their biggest concern post-acquisition. And about 65% of the respondents said that their companies experienced regrets in making M&A deals due to cybersecurity concerns.

It goes without saying that security breaches can have devastating effects on a company’s business and reputation, which are almost always echoed in the stock market and the media. This study is an important reminder for companies to conduct cyber diligence as part of their M&A due diligence processes in order to mitigate cybersecurity risks before a deal is closed. Once unreported breaches and poor cybersecurity frameworks are discovered during due diligence, there won’t be any godfather offers or white knights coming along to save the deal.

Copyright © 2024, K&L Gates LLP. All Rights Reserved.