7 Tips for Conducting Effective Cybersecurity Due Diligence in M&A Transactions

Cybersecurity analysis informs deal terms, deal value and post-deal indemnity claims.

October 29, 2015

1. Start Early

Buyers should begin conducting cybersecurity risk assessments early in the engagement process. The target should be able to identify which information technology systems and data sets are key to the business and explain how the company protects them.

2. Tailor Diligence

Based on the information gleaned during the initial risk assessments, the buyer should tailor its diligence based on the type of information being handled, the industry, and how important information security is to the target’s bottom line.

3. Assess Awareness

Does the target’s management team have cross-functional awareness about cyber risk and the their security program? If so, this is a sign of a mature security program. A security program will not be effective if it exists in a silo inside the information technology department. All substantial stakeholder departments should be involved in cybersecurity risk management.

4. Ask the Experts

In order to accurately assess cyber readiness and potential liabilities, buyers should assemble deal teams that include subject matter experts. The deal team should be nimble and focus on the specific industry, as cybersecurity risks are highly variable across sectors.

5. Ensure Payment Card Industry Compliance

If the target accepts, processes, stores or handles cardholder payment data streams, buyers should pay special attention to compliance with the payment card industry data security standards (PCI DSS). When done correctly, PCI DSS compliance is costly and requires constant adaptation and optimization to new threats and standards.

6. Consider Other Risks

Payment and card security are not the only risks to be concerned about. Theft of trade secrets,  state-sponsored espionage and cyber attacks that cripple corporate networks can be just as damaging to a target business. Buyers should ask questions about any historical incidents in these areas and assess the target’s measures for preventing similar future breaches or attacks.

7. Consider Cyber Insurance

Buyers should evaluate which of the target’s cyber risks will be mitigated by insurance coverage. Today, most cyber insurance policies cover a data breach and the crisis management expenses associated with complying with data breach notification laws.

Find Out More

For more information on conducting cybersecurity due diligence in M&A transactions download Archie’s chapter from Navigating the Digital Age, “Cybersecurity due diligence in M&A transactions: Tips for conducting a robust and meaningful process.”

Notice: We appreciate your interest in Latham & Watkins. If your inquiry relates to a legal matter and you are not already a current client of the firm, please do not transmit any confidential information to us. Before taking on a representation, we must determine whether we are in a position to assist you and agree on the terms and conditions of engagement with you. Until we have completed such steps, we will not be deemed to have a lawyer-client relationship with you, and will have no duty to keep confidential the information we receive from you. Thank you for your understanding.