Chapter 11 - Cybersecurity Considerations During M&A Phases


Cybersecurity diligence during M&A calls for a two-pronged approach. Companies must conduct rigorous due diligence on the target company’s cyber risks and assess their related business impact throughout the deal cycle to protect the transaction’s return on investment and the entity’s value post-transaction. In addition, all parties involved in the deal process need to be aware of the increased potential for a cyberattack during the transaction process itself, and should vigilantly maintain their cybersecurity efforts. Applying this two-pronged approach during M&A will serve to ultimately protect stakeholder value.

Key Ideas
  • In the current landscape, cybersecurity due diligence often receives limited focus under tight time constraints.

  • Acquirers need to conduct cyber risk assessments as early as possible in the process.

  • During the identification phase, acquirers need to identify the cybersecurity risks before engagement with the target, model the financial impact, and understand the regulatory environment.

  • During the due diligence phase, acquirers need to estimate the cost of cyber risk remediation in order to meet defined standards under transitional services arrangements.

  • During the integration phase, acquirers need a plan to remediate compliance concerns, address risk exposure, and integrate security operations—wherever appropriate.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.