Cybersecurity Due Diligence in M&A and Divestitures


Liberty Advisor Group

Cybersecurity is a key risk that requires an assessment as a part of any M&A transaction. Here we outline why it’s so important and how we can help.

Most companies that engage in divestitures, M&A, or other forms of business combination don’t consider cybersecurity due diligence a vital part of the merger or acquisition process. However, the current cybersecurity landscape brings to the fore the importance of prioritizing cybersecurity due diligence. And where the selling company declines a request for cybersecurity due diligence, such should be treated as a red flag.

That said, divestiture deals are magnets for cyber attacks. Divestitures occur when an organization sells a division or portion of its business and assets to another company. Since divestments are almost always associated with much stricter time constraints—they need to be speedy—business processes can be easily disrupted. Cyber attackers usually take advantage of disrupted routines and distracted employees to launch attacks.

Why Cyber Risk is a Big Threat to Divestment

Just as with any other M&A process, inheriting cyber risks is one of the biggest threats to divestment. While organizations often use security as the final sign-off of a deal, cybersecurity throughout the divestment process is crucial for preventing security and operational risks and liabilities, as well as any legal risks heightened by more stringent data protection and regulatory compliance policies.

Cyber risks affect both the divesting organization and the entity being sold or spun off and are present in all phases of the deal cycle. Ignoring cybersecurity in an M&A can expose the buyer to various risks. This includes diminished profits, revenue, market value, and brand reputation. Similarly, it can erode the value of a divestment, resulting in a seller’s profits diminishing.

During divestment, threat actors can make the most of the situation to gain access to sensitive data, trade secrets, and more. Divestitures increase the number of people, systems, and assets involved. Thus, consequently increasing the probability of human error and negligence toward critical oversight. This is why a weak cybersecurity posture can devalue the deal for the unit your organization is divesting.

Cybersecurity Impacts the Value of a Company

Now that all companies rely on corresponding digital data and IT systems, infrastructure security has a real impact on the value of a company to a purchaser—in terms of the cost of upgrading to more secure hardware and the potential damage to stock price and the brand equity from previous, ongoing or potential cyber-attacks. Statista states the average global cost of a data breach is $4.35 million. This is before reputational damage is taken into account.

Cyber attacks can shut down business operations or expose sensitive data. This can ultimately result in company and brand valuation (not all divestitures are of public companies).

An example of a company whose valuation declined as a result of a cyber attack is Yahoo. In 2017, Yahoo disclosed to the then-acquirer, Verizon, that its internet business had suffered three data breaches resulting in the loss of 3 billion customer account records. As a result, the acquisition price for Yahoo decreased by $350 billion.

Another example is the acquisition of SBTech. In 2020, Diamond Eagle Acquisition Corporation renegotiated terms with SBTech, after it was revealed that the acquisition target had been a victim of a recent ransomware attack. The renegotiation cost SBTech $30 million.

Don’t Let M&A Cybersecurity Risks Devalue the Deal

Here are some measures you can take to ensure that cyber risks don’t devalue your divestment deal:

1. Extensive Planning to Guarantee a Secure and Speedy Process

Executing a deal without a proper plan and without conducting cybersecurity due diligence puts unnecessary risks on the investment. Formulate a plan outlining how you will conduct cybersecurity due diligence and how the entire acquisition process will occur so that operations won’t be disrupted and everyone knows what to do.

2. Include Cyber-Savvy Leaders in the M&A Process

Cyber-savvy leaders who implement a defensive strategy throughout the deal can significantly limit the organization’s risk exposure. Cybersecurity experts should be part of the M&A process in all phases. Failure to understand how the divestiture impacts the risk exposure will detract from future value realization.

3. Conduct an Early Cybersecurity Assessment

Most companies don’t perform cybersecurity assessments until after the completion of due diligence. Without appropriate cybersecurity due diligence, “the acquirer in the M&A transaction is at risk of buying the cyber vulnerability of the target company and assuming the damage and liabilities from the incidents it suffers,” writes the American Bar Association. The acquirer may not understand the potential devalued nature of the assets it is buying, nor the size of the liabilities it may take on.

Upon identifying cyber risks, quantify valuation considerations. This includes estimated one-time and recurring costs to remediate cyber vulnerabilities or gaps in regulatory compliance.

The acquiring entity should also continually monitor the cybersecurity posture of the business and take cybersecurity insurance to help the business get back on its feet in the unfortunate event that it becomes a cyber attack victim.

It is also imperative to do an analysis of what cybersecurity elements stay with the remain-company and do not come over with the divesting entity. This will provide them with the details on what they will need to stand up from a cyber perspective once that entity is divested.

Liberty Advisor Group Can Assess M&A Cybersecurity Risks Before They Appear

Looking for help conducting cybersecurity due diligence in M&A and divestitures? Liberty Advisor Group can help. We have a team of US intelligence-trained experts that have gained their skills from decades of experience in DoD and US National Intelligence communities. We offer a wide range of cybersecurity services, including:

  • Cyber Health Check.  We will perform a cybersecurity assessment to help you identify the biggest areas of opportunity to address and provide you with concrete do now, do next, recommendations to mitigate against the identified vulnerabilities. These recommendations take into account the benefits achieved for the investment required.
  • Threat Analysis. We will assess your organization’s security protocols, processes, and procedures to identify threats and vulnerabilities and even gather information about potential attacks before they occur. 
  • Continuous Overwatch. We will continuously monitor your cybersecurity, analyze your IT infrastructure and give you real-time alerts needed to avoid emerging threats.
  • Crisis Management. We will design strategies to help your organization deal with cyber events swiftly. This way, you can resume your normal operations as soon as possible.

Contact us today to learn more about our services.


Liberty Advisor Group

Add insights to your inbox

Get the latest in leadership news delivered straight to your inbox with our weekly newsletter.