M&A Helps Make the Business Case for Cybersecurity

by | Dec 17, 2022

Executive Summary:

Cybersecurity is a significant driver of buyer’s remorse in Mergers and Acquisitions (M&A). That’s no surprise when more than half of all companies have poor cybersecurity.

 The growing importance of cybersecurity posture in the structure of M&A deals is another way to quantify the benefits of a good stance.

 This post shares how we have used this topic to successfully engage senior stakeholders at the level of the Board of Directors and the C-suite of Fortune 500 companies and leveraged it as a component in the overall business case for better cybersecurity.

 This Field Note is 471 words, a 2.3 minute read.

How does M&A contribute to the general business case for cybersecurity?

There is a growing understanding of how cyberattacks steal more than data; they affect the fundamental value of the business, whether that is measured by the stock price of a publicly held company or the liquidity and deal price of private owners’ exit strategy.

The downloadable pdf offers a slide we’ve used many times to engage Fortune 500 executive stakeholders in cybersecurity strategy long before we developed the M&A solution we describe below

    How often does cybersecurity impact M&A deals?

    • 80% found previously unknown or undisclosed cybersecurity issues during M&A integration
    • 65% report their company experienced regrets in making an M&A deal due to cybersecurity concerns
    • 62% agree their company faces significant cybersecurity risk acquiring new companies
    • 62% say cyber risk is their biggest concern post-acquisition

    Enough business development teams have been impacted that

    • 81% say they are putting more focus on the cybersecurity posture of an acquisition target
    • 97% involve third party contractors for IT audits or cybersecurity assessments

    These findings1 are based on a sample of 2,779 executives and senior managers with knowledge of their company’s M&A strategy, 79% of whom plan, create, or execute their company’s M&A strategy. Of this global sample, half are business decision makers and half are Information Technology (IT) leaders with 70% having been involved in 2-5 deals and 30% in more than 5 deals.

    What is the status quo of cybersecurity due diligence?

      While over half of survey1 respondents report starting cybersecurity due diligence before the deal is announced, the vast majority of organizations don’t gather enough data to perform a detailed gap analysis or develop a rough budget until after the acquisition is complete.

      For those that do perform a cybersecurity assessment before the deal closes, it relies heavily on the target company providing information that is accurate and truthful. Our experience through a dozen M&A’s has shown those “self-attestation” reports of cybersecurity posture are woefully inaccurate.

      As a result, the post-announcement integration investments become much higher than the due diligence estimates. Often business process integration is curtailed so projected business synergies and cost savings are never realized.


      M&A is busting the myth that most companies have adequate cybersecurity

        As we were working on making the specific business case for a new SecuriThink solution we realized that acquiring companies are in for a wake-up call because they enter the transaction assuming most companies have an adequate cybersecurity stance when this is far from the measured reality.

        We complimented the information in the slide shown above with more research about where most companies stand. You can see what we did and leverage our sources by checking out that post here.

        Once we realized the gap in understanding, it became the second sentence of our message to business decision makers.

        Our opening statement became, “Cybersecurity is a significant driver of buyer’s remorse in Mergers and Acquisitions (M&A). That’s no surprise when more than half of all companies have poor cybersecurity.”

        There is power in taking something which was previously invisible and putting a spotlight on it. It becomes context which makes a well-composed message command respect.

        Want more?


          1. The Role of Cybersecurity in Mergers and Acquisitions. Quest Mindshare commissioned by Forescout Technologies. 2019. https://www.forescout.com/company/resources/cybersecurity-in-merger-and-acquisition-report/
          2. Trojan horse quote: https://www.allianz.com/en/press/news/studies/230117_Allianz-Risk-Barometer-2023.html