Chapter 11 - Cybersecurity Considerations During M&A Phases


Cybersecurity diligence during M&A calls for a two-pronged approach. Companies must conduct rigorous due diligence on the target company’s cyber risks and assess their related business impact throughout the deal cycle to protect the transaction’s return on investment and the entity’s value post-transaction. In addition, all parties involved in the deal process need to be aware of the increased potential for a cyberattack during the transaction process itself, and should vigilantly maintain their cybersecurity efforts. Applying this two-pronged approach during M&A will serve to ultimately protect stakeholder value.

Key Ideas
  • In the current landscape, cybersecurity due diligence often receives limited focus under tight time constraints.

  • Acquirers need to conduct cyber risk assessments as early as possible in the process.

  • During the identification phase, acquirers need to identify the cybersecurity risks before engagement with the target, model the financial impact, and understand the regulatory environment.

  • During the due diligence phase, acquirers need to estimate the cost of cyber risk remediation in order to meet defined standards under transitional services arrangements.

  • During the integration phase, acquirers need a plan to remediate compliance concerns, address risk exposure, and integrate security operations—wherever appropriate.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.


Andrew Cotton, Partner, Ernst & Young

Andrew Cotton is a Partner and Americas Cybersecurity Leader for EY in which role he has responsibility for cross-service line, cross-channel evaluation and refinement of EY’s cybersecurity strategy and tactical operating plans. He has more than 25 years of industry experience serving EY’s largest global technology clients in the San Francisco Bay Area. Andrew has previously served on the Firm’s Partner Advisory Council and as the Americas Software Sector Leader, at which time he developed the firm’s technical guidance in that area. He has a Master of Arts degree from Oxford University.