6 Review Areas for Detecting Cybersecurity Risk in a Due Diligence

The Art of M&A® / Due Diligence: Detecting Cybersecurity Risk
An excerpt from The Art of M&A, Fifth Edition: A Merger, Acquisition, and Buyout Guide by Alexandra Reed Lajoux

Editor’s Note: A growing number of M&A professionals are pursuing the Certified M&A Specialist, or CMAS® credential. To support these certification candidates preparing for the CMAS® exam, we are pleased to highlight a feature column, CMAS® Career Corner by noted author and expert, Alexandra Reed Lajoux. Each edition includes directly relevant content derived from Lajoux’s industry leading book series, The Art of M&A Fifth Edition: A Merger, Acquisition, and Buyout Guide (McGraw Hill, 2019). These columns cover one or more likely CMAS® exam question and will help you accelerate completion of this important career credential. 


Q: Cybersecurity is a major risk today. What advice do you have for detecting such risk during a due diligence?

Cybersecurity audits should be a very comprehensive review of the existing digital environment of the target company that includes a wide variety of different platforms and tools.1  IT infrastructure, including firewalls, firewall rules, intrusion detection, and intrusion remediation tools and processes are typical areas to review. This should include both current and past environments, including a review of the intrusions and remediations that occurred, both in the past and in the present. With the trend toward the use of cloud technologies, where key information resides with one or more third parties, the analysis can get complex. Knowledge that the cloud provider has acceptable security is not enough information, since the target company could have chosen to bypass some of the available security and use, for example, just a simple password scheme, which would not be an acceptable secure environment. And, for target companies that support a bring your own device (BYOD) environment for their employees, the analysis should include considerations to properly protect the infrastructure environment from devices that may contain dangerous malware.

The analysis of key application software, including data content such as customer information, financial information, and intellectual property rights (IPR) information is a second key focus area, including what information is digitized and made available online to authorized users. And, with the growing use of applications that span organizations across customers, suppliers, and third-party environments, the review can get complex. With the advent of cloud-based applications, it is essential to understand the use of applications not under IT control, but where business personnel have contracted directly with third-party providers to use applications (often referred to as “shadow IT”).

Third, the review of software tools such as email and document management should be analyzed to thoroughly review the target company’s environment. Included in this area would be online applications and websites, including those that are not current or used anymore but still exist, since they could have embedded vulnerabilities, which could lead to intrusions.

Fourth, a review should include the IT and cybersecurity organization and personnel, for responsibilities and adequacies to properly protect the digital environment of the target company.

Fifth, a review of the use of social media by the target company is also crucial in understanding the cybersecurity environment and possible vulnerabilities.

Sixth, with the growing concern about data privacy, a review of data privacy information is recommended, especially in deals involving multinational targets and target companies that are located in different countries. The European Union’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018, has wide-ranging effects. The law requires—with some exceptions—affirmative opt-in and usage notices for any data collection in the European Union (EU) by any organization with 250 or more employees based anywhere in the world. Vendors to these companies may also be affected by this law. The GDPR affects not only European companies collecting data within the EU, but also large non-European companies with “data subjects” based anywhere in the EU. Since most organizations today engage in digital commerce that includes data collection, and since digital commerce per se has no geographic boundaries, the directive has the potential to affect many businesses.

1.This answer was provided by Bill Blandford, Manager of M&A, Retired, Nokia, and a member of the Board of M&A Standards, as introduced in the preface to this book.




Learn more about Cybersecurity risk in Due Diligence and Integration at our two upcoming in-person training events:

These sessions include face-to-face networking with presenters, peer interaction, small-group breakouts, team challenges, roundtable discussions and more. Join us!

The Art of M&A® for Due Diligence Leaders / In-Person / Boston, MA / Sep 2023 - September 12-14, 2023 

The Art of M&A® for Integration Leaders / In-Person / San Diego, CA / Oct 2023 - October 11-13, 2023 


Lajoux, Alexandra Reed with Capital Expert ServicesThe Art of M&A, Fifth Edition: A Merger, Acquisition, and Buyout Guide. United States of America: McGraw Hill, 2019. Pp. 460-461. Print.