Avoid M&A Buyer’s Remorse from Cybersecurity

by | Dec 19, 2022

Executive Summary:

Cybersecurity is a significant driver of buyer’s remorse in Mergers and Acquisitions (M&A). That’s no surprise when more than half of all companies have poor cybersecurity.

What’s needed is a way to rapidly assess cybersecurity costs early in the deal process.

Our unique solution has been field-tested on 12 Fortune 500 M&A deals. It allows investments to be factored into one-time and recurring costs with verified accuracy. It supports fast, data-driven “Go / No-Go” decisions, avoids buyer’s remorse, and minimizes sunk costs.
While created to address M&A, the approach can also be used for decisions weighing the relative value of cybersecurity investments to satisfy customer contractual obligations or regulatory requirements.

This Field Note is 915 words, a 4.5 minute read.

How often does cybersecurity impact M&A deals?

  • 80% found previously unknown or undisclosed cybersecurity issues during M&A integration
  • 65% report their company experienced regrets in making an M&A deal due to cybersecurity concerns
  • 62% agree their company faces significant cybersecurity risk acquiring new companies
  • 62% say cyber risk is their biggest concern post-acquisition

 Enough business development teams have been impacted that

  • 81% say they are putting more focus on the cybersecurity posture of an acquisition target
  • 97% involve third party contractors for IT audits or cybersecurity assessments

 These findings1 are based on a sample of 2,779 executives and senior managers with knowledge of their company’s M&A strategy, 79% of whom plan, create, or execute their company’s M&A strategy. Of this global sample, half are business decision makers and half are Information Technology (IT) leaders with 70% having been involved in 2-5 deals and 30% in more than 5 deals.

Don’t most companies have adequate cybersecurity in place?

While the exact numbers from the reports listed below vary, the trend is very clear: over half of companies have poor cybersecurity. Buyer beware!

 Recent research shows:

  • 76% of executives surveyed reported significant shortcomings in cybersecurity2
  • 80% of companies with over $1 billion U.S. in revenue are either vulnerable or cyber risk takers3
  • 68% of middle-market companies report they could be doing more or are behind in cybersecurity threat protection4
  • 64% of organizations with contractual cybersecurity obligations to the U.S. Department of Defense (DoD) have not fully implemented them – only 36% have5
  • 45% of organizations with DoD cybersecurity requirements admit they have not read those requirements5
  • 37% of manufacturers under $50 Million U.S. have no cybersecurity program at all6

What is the status quo of cybersecurity due diligence?

While over half of survey1 respondents report starting cybersecurity due diligence before the deal is announced, the vast majority of organizations don’t gather enough data to perform a detailed gap analysis or develop a rough budget until after the acquisition is complete. 

For those that do perform a cybersecurity assessment before the deal closes, it relies heavily on the target company providing information that is accurate and truthful. Our experience through a dozen M&A’s has shown those “self-attestation” reports of cybersecurity posture are woefully inaccurate.

 As a result, the post -announcement integration investments become much higher than the due diligence estimates. Often business process integration is curtailed so projected business synergies and cost savings are never realized.

What’s needed?

What’s needed is a way to rapidly assess cybersecurity costs early in the deal process.

Our unique solution has been field-tested on 12 Fortune 500 M&A deals. It allows investments to be factored into one-time and recurring costs with verified accuracy. It supports fast, data-driven “Go / No-Go” decisions, avoids buyer’s remorse, and minimizes sunk costs.

Step one of cyber due diligence is a thorough gap analysis; unfortunately, that can take weeks or months and, by itself, doesn’t provide a cost estimate.

Typically, visibility of costs needed to make an investment decision happens in the stage after that, after more time and sunk costs.

Step Zero™ happens before step one. It’s accuracy was verified by the full lifecycle of several real-world deals, tracking them through the entire integration stage.

To be clear: Step Zero does not eliminate the need for a thorough gap analysis or the plan and design which follows. The Step Zero estimate includes the cost and time for doing those important parts of the process. The estimate which is developed in that later phase is expected to have a smaller range of deviation. The tradeoff is that estimate will come later, after more effort and sunk costs.

 The advantage of Step Zero is having a Rough Order of Magnitude (ROM) estimate with a known range of accuracy to support an early “Go / No-Go” decision.

What uses does this have beyond M&A?

    While originally created in response to the demands of M&A deals, the approach also supports other investment decisions such as:

    • Protecting the value of the business, (e.g., as part of an exit strategy), by ensuring a solid cybersecurity stance
    • Weighing whether existing or anticipated customer business justifies spending to meet cybersecurity contract requirements such as those currently in place for the Department of Defense (DoD) and the even higher standards anticipated with Cybersecurity Maturity Model Certification (CMMC)
    • Managing cybersecurity insurance premiums as well as Directors and Officers (D&O) risks by investing in a demonstrably stronger cybersecurity posture
    • Anticipating the cost to meet regulatory requirements

    The Step Zero approach takes the guesswork out of the process, allowing an early, data-driven business decision with less sunk cost.


    How does this help cybersecurity and IT teams?

      The Step Zero approach offers cybersecurity and IT teams the advantage of preliminary buy-in from business decision makers. Executives and financial stakeholders get some idea of what to expect and can make a preliminary “Go / No-Go” decision. Then the technical teams can do what they need to do to design the future state and build the more detailed plan. Most initiatives insert a stage gate to confirm with stakeholders again at that point.

      When a project starts with step one and a gap analysis, technical teams are often in the hot seat with business decision makers and the financial team constantly checking to see how soon there will be a schedule and, even more importantly, an estimated budget.

      Step-Zero pre-paves executive buy-in for the early stages of the project until the technical team can build that plan and the detailed budget.


      Want more?

      • What’s in a Step Zero report? What’s the input for Step Zero? Read more here or contact us with your questions to decide if Step Zero might make sense for your situation.
      • Sign up to be notified when new Field Notes are posted so you don’t miss any of the great content we have coming about the business case for better cybersecurity and our field-tested solutions.
      • If you have comments, please join the discussion on the relevant LinkedIn post here: https://www.linkedin.com/in/lindarust/


        1. The Role of Cybersecurity in Mergers and Acquisitions. Quest Mindshare commissioned by Forescout Technologies. 2019. https://www.forescout.com/company/resources/cybersecurity-in-merger-and-acquisition-report/
        2. 2022 KPMG Fraud Outlook. https://assets.kpmg/content/dam/kpmg/xx/pdf/2022/01/fraud-survey.pdf
        3. Accenture State of Cybersecurity Resilience 2021. (n=4,744 with revenue over $1B U.S.) https://www.accenture.com/_acnmedia/PDF-165/Accenture-State-Of-Cybersecurity-2021.pdf
        4. Marcum-Hofstra University CEO Survey No. 5, 2022. Data collected November 2022. https://info.marcumllp.com/hubfs/pdf/Marcum-Hofstra-CEO-Survey-No5-2022.pdf
        5. DFARS Case 2019-D041. Federal Register Vol. 85, No. 189, section IX, page 61518. September 29, 2020. https://www.govinfo.gov/content/pkg/FR-2020-09-29/pdf/2020-21123.pdf
        6. Which industries aren’t ready for a cyberattack? Wall Street Journal. June 21, 2020. WSJ Pro Research Survey https://www.wsj.com/articles/the-industries-most-vulnerable-to-cyberattacksand-why-11592786160
        7. Trojan horse quote: https://www.allianz.com/en/press/news/studies/230117_Allianz-Risk-Barometer-2023.html