Why businesses cannot afford to overlook cyber security due diligence in modern day M&A

Why businesses cannot afford to overlook cyber security due diligence in modern day M&A Cyber-crime is here to stay. It is considered one of the top risk factors faced by the Financial Services and Banking sectors in modern times. As digital technology evolves daily and has become a vital component in our lives, it is not surprising cyber-crime is on the rise. Within businesses reporting breaches several times a day, according to research from Statista, cyber security due diligence cannot be overlooked when it comes to modern day mergers and acquisitions. Failing to conduct a detailed cyber evaluation of target companies as part of the transaction creates risk and one that brings significant financial, legal, and reputational impact. What would the impact be on your investment if a cyber-attack were to occur one hour, one day, one week or one month after completion? Cyber security due diligence is about protecting your investment and ensuring you understand the risks the business you are buying presents, and what you need to do to make your acquisition as resilient and successful as possible. Typically, we understand the obvious costs of an attack, such as business interruption, regulatory investigation, and enforcement fines, but the unanticipated costs – like management disruption, strategic reputational damage, supplier damage claims, client impact, increased insurance premiums and group litigation – are often forgotten about. Furthermore, if a major cyber-attack hits an acquired business shortly after a deal has been closed, it can significantly hinder the purpose of the transaction and could present an existential threat to the wider group or organisation. If you are acquiring a business, you need to understand how resilient it is. Gone are the days of ripping an information security policy off the internet and submitting it as part of general due diligence. A penetration test carried out two years ago was out of date the moment it was finished. An incident response plan not reviewed and communicated, and never rehearsed is ineffective. Now more than ever, a comprehensive understanding of the cyber resilience of a business is critical.