The rapid increase in cyber threats poses significant risks for companies engaged in mergers and acquisitions (M&A).¹ With the rise in M&A activity across high-stakes markets like Miami, New York, and Cleveland, neglecting to assess cybersecurity vulnerabilities can expose acquiring companies to significant financial, operational, and reputational risks. Cybersecurity due diligence has become critical to these transactions, directly impacting deal valuations, integration plans, contracts, and long-term success.

In M&A, cybersecurity due diligence entails examining the cyber infrastructure, regulatory compliance, past security incidents, and third-party dependencies of the target company to gauge potential cyber risks. Recent cases, Verizon’s acquisition of Yahoo and Marriott’s acquisition of Starwood Hotels, highlight how cybersecurity lapses in target companies can diminish acquisition value or create substantial post-acquisition liabilities.² To address these risks, companies must adopt rigorous cybersecurity measures during the M&A process and follow strategic steps to fortify security post-acquisition.

Introduction: The Growing Importance of Cybersecurity in M&A Transactions

With the intensification of cyber threats, cybersecurity has become a critical consideration in the M&A process. Recent statistics reveal that cyberattacks, such as ransomware, have escalated in both frequency and sophistication.^{3 4} In Miami, New York, and Cleveland, where competitive business landscapes lead to numerous M&A transactions, cybersecurity can significantly impact the ultimate value and viability of a deal. As companies integrate, inheriting unresolved cybersecurity vulnerabilities from the acquired firm can lead to severe repercussions, including regulatory fines, operational disruptions, and loss of consumer trust.

One high-profile example was Verizon’s acquisition of Yahoo. When Yahoo disclosed previously unreported data breaches affecting over three billion user accounts, Verizon ultimately reduced the acquisition price by $350 million.⁵ Similarly, Marriott’s acquisition of Starwood Hotels exposed millions of customer records due to a pre-existing data breach, which led to fines under the General Data Protection Regulation (GDPR) and substantial reputational damage.⁶ These cases illustrate the far-reaching consequences of unaddressed cybersecurity issues during M&A transactions.

Cybersecurity Due Diligence: An Essential Aspect of M&A Transactions

Conducting comprehensive cybersecurity due diligence is an integral part of assessing M&A targets, as cyber risks can significantly influence the terms and outcomes of a deal. Key elements in cybersecurity due diligence include evaluating data inventory, assessing security controls in place, complying with regulatory standards, and identifying key risks and mitigation strategies.⁷

A. Data Inventory and Protection

A thorough assessment of the target company’s data assets, including sensitive and proprietary information, is crucial. This process involves reviewing the company’s data encryption practices, access controls, and storage solutions. For example, companies operating in highly regulated industries, such as healthcare, must meet strict compliance requirements under state and federal regulations such as the Physician Self-Referral Law (Stark Law), the False Claims Act (FCA), the Anti-Kickback Statute (AKS), the Exclusion Authorities, the Civil Monetary Penalties Law (CMPL), and the Health Insurance Portability and Accountability Act (HIPAA).⁸ Ensuring that data protection practices align with industry standards is vital because failing to do so can expose the acquirer to financial and legal penalties.

B. Cybersecurity Risk Assessment

Identifying past cybersecurity incidents and technical vulnerabilities is another essential component of M&A cybersecurity due diligence. This process involves evaluating the target’s IT infrastructure, firewall capabilities, and unresolved risks, culminating in a comprehensive risk assessment to identify potential post-acquisition cybersecurity challenges. In cases where the target has suffered data breaches or cyber incidents, analyzing the response strategies of the target company can reveal potential liabilities.⁹ A thorough cybersecurity audit offers the acquirer a risk-based perspective on the target’s cyber infrastructure, guiding integration strategies and future investment decisions.

C. Compliance with Regulatory Standards

M&A transactions often involve complex regulatory landscapes and contracts, especially for companies operating internationally. Non-compliance with privacy regulations due to breaches in data security can be problematic. If legislation such as the GDPR, the California Consumer Privacy Act (CCPA), or industry-specific standards such as HIPAA are violated, that violation can result in penalties and integration challenges. For example, GDPR violations have resulted in fines of up to 4% of global annual revenue for many companies in recent years.¹⁰ Acquirers must evaluate the compliance practices of the target company to mitigate these potential liabilities, and what contractual clauses are in place to protect them. Failure to comply with regulatory requirements can create barriers to a smooth integration and diminish the overall value of the acquisition, such as in the cases of Yahoo and Marriot mentioned above.

An Illustration

To illustrate how cybersecurity issues can impact an M&A transaction, consider a hypothetical case involving a Miami-based technology company, “TechCorp,” acquiring a Cleveland-based software development firm, “Data Solutions.”

Background and Transaction Goals

TechCorp is seeking to expand its digital service offerings by acquiring Data Solutions, a software firm with advanced data analytics capabilities. This acquisition aims to help TechCorp leverage Data Solutions’ technology to enhance its product suite and expand its customer base in markets such as New York and other metropolitan areas. However, to realize these goals, TechCorp needs to conduct due diligence to identify any cybersecurity risks that could compromise its operations or client trust.

Cybersecurity Due Diligence

During due diligence, TechCorp’s cybersecurity team evaluates Data Solutions’ digital infrastructure, data protection practices, and historical cyber incidents. They identify several concerns. Those concerns include the following

A. Outdated Security Infrastructure

TechCorp’s assessment reveals that Data Solutions has not upgraded its firewall systems in over five years and lacks robust intrusion detection mechanisms. This accumulated risk in Data Solutions’ IT infrastructure increases its vulnerability to cyberattacks, potentially exposing TechCorp to risks once the companies integrate.

B. Third-Party Vendor Risks

Data Solutions relies on a third-party data processing vendor based in New York. A review of this vendor reveals weak security practices, such as minimal encryption for sensitive customer data. TechCorp realizes that if the integration moves forward without addressing this, they could inherit vulnerabilities that could lead to breaches in customer privacy.

C. Historical Data Breaches

Data Solutions experienced a data breach two years prior, but the incident was not well-contained, leading to residual risks. While no sensitive information was reportedly exposed, TechCorp assesses that similar incidents could continue post-acquisition unless stricter response protocols are established.

Integration and Security Enhancements

After identifying these risks, TechCorp negotiates terms to address cybersecurity issues before finalizing the acquisition. They establish a cybersecurity integration plan that includes upgrading outdated security measures, conducting a full audit of third-party vendors, and implementing more stringent data protection protocols. Additionally, TechCorp designates a Chief Information Security Officer (CISO) to oversee cybersecurity integration, related contracts, and continuous monitoring post-acquisition.

Outcome

By proactively addressing cybersecurity vulnerabilities, TechCorp prevents potential post- acquisition risks that could have led to data breaches, financial liabilities, and reputational damage. This case demonstrates how robust cybersecurity due diligence can help companies make informed decisions, protect their assets, and ensure a smoother M&A transaction. This illustration underscores the need for acquirers to evaluate not only internal cybersecurity practices but also external dependencies and historical risks. By doing so, they can safeguard against inheriting security liabilities and ensure a more secure and successful integration.

Common Cybersecurity Risks in M&A Transactions

Despite the importance of cybersecurity due diligence, many M&A deals and the contracts that are part of them, proceed without adequate scrutiny of cyber risks, which can lead to substantial post-acquisition issues. Below are common cybersecurity risks that acquirers face:

A. Outdated IT Systems and Accumulated Risk

Many acquired companies operate on outdated IT systems that receive limited or infrequent security updates.¹¹ Such neglected infrastructure can pose significant risks to the merged entity. For example, acquiring a company with poorly maintained IT systems may result in costly post-acquisition investments to address cybersecurity gaps and protect against potential breaches.

B. Inadequately Managed Data Breaches

Companies that have experienced recent data breaches but failed to manage them adequately pose serious risks to the acquirer. These breaches not only bring financial liabilities and loss of customer trust but also raise questions about the target’s cybersecurity culture. In the case of Marriott’s acquisition of Starwood, the failure to identify a major data breach before finalizing the deal led to ongoing reputational and regulatory challenges.¹²

C. Third-Party Vulnerabilities

Cybersecurity risks are not limited to the target company’s internal network. Many companies rely on third-party vendors, contractors, and external systems, which can introduce vulnerabilities. During the acquisition process, conducting a cybersecurity audit of third-party dependencies and integrations is crucial to preventing external access points from compromising the acquiring company’s security.¹³

Solutions and Best Practices for Cybersecurity in M&A

Given the complex cybersecurity landscape, companies involved in M&A transactions must adopt best practices and relevant contracts to mitigate risks and protect their assets. These practices are particularly relevant for high-value transactions in major markets like Miami, New York, and Cleveland, where large volumes of sensitive data are frequently exchanged.

A. Establish a Cybersecurity Integration Plan

A well-designed integration plan is essential for aligning cybersecurity practices across merged entities. This plan should address IT infrastructure consolidation, policy standardization, and the establishment of a unified incident response team.¹⁴ Cybersecurity integration can also include training employees on new security protocols, implementing relevant contracts for protection, all of which is crucial to minimizing risks associated with human error. As seen in the Marriott-Starwood case, integrating IT and cybersecurity systems as early as possible can prevent overlooked vulnerabilities from being exploited.

B. Incident Response and Recovery Planning

A structured incident response and recovery plan and contractual language to provide for it is necessary to manage potential cybersecurity incidents that may arise post- acquisition.¹⁵ The plan should designate an incident response team, outline communication protocols, and establish clear recovery procedures. Having a response framework in place can help the company minimize damages if an incident occurs, which is particularly critical in the post-acquisition phase when systems are integrating and vulnerabilities may still exist.

C. Continuous Monitoring and Threat Intelligence

Once the acquisition is complete, continuous monitoring for potential threats is essential.¹⁶ Threat intelligence tools can identify unusual activities and alert the company to potential breaches. By proactively monitoring network traffic, conducting regular security assessments, and investing in real-time detection systems, companies can stay ahead of evolving cyber threats.

D. Clear Governance and Accountability

Clear governance structures and accountability for cybersecurity play a crucial role in maintaining security standards within the merged organization. Companies should designate cybersecurity leadership roles, such as a Chief Information Security Officer (CISO) or a dedicated cybersecurity manager for M&A.¹⁷ Assigning these roles, and noting this in the contractual language, ensures that cybersecurity measures are enforced consistently and that there is accountability within the organization.

E. A Real World Illustrative Cases of Cybersecurity in M&A

The Verizon-Yahoo and Marriott-Starwood transactions serve as cautionary tales that underscore the critical importance of comprehensive cybersecurity due diligence in M&A. In Verizon’s acquisition of Yahoo, a $350 million reduction in the deal’s value followed Yahoo’s disclosure of previous data breaches, revealing the financial impact of cybersecurity lapses on acquisition values. As noted, beyond the monetary loss, Verizon faced reputational challenges and increased costs to address the inherited security vulnerabilities.

Similarly, Marriott’s acquisition of Starwood uncovered a massive data breach in Starwood’s systems, prompting regulatory scrutiny and significant remedial obligations. To address the fallout, Marriott was required to adopt a Data Minimization Policy, ensuring that personal information is retained only as long as necessary and disclosing its specific purpose and business need.¹⁸ The company also had to implement a Comprehensive Information Security Program, certified annually to the FTC for 20 years, which includes robust safeguards and independent biennial assessments.¹⁹ Additional measures included for customers a process to review unauthorized activity in Marriott Bonvoy accounts, restoring stolen points, and providing a link to request the deletion of personal information tied to an email address or loyalty account.²⁰

These cases underscore the severe consequences of overlooking cybersecurity risks during M&A. Thorough assessments are essential to identify vulnerabilities, mitigate potential liabilities, and establish post-acquisition safeguards, protecting acquirers from financial losses, regulatory penalties, and reputational harm.

Conclusion and Practical Next Steps

Practical Steps for Securing M&A Transactions

Successfully addressing cybersecurity in M&A transactions requires a strategic, proactive approach. The following ten steps can guide companies toward establishing greater security throughout the M&A process:

1. Conduct a comprehensive cybersecurity due diligence assessment.
2. Inventory and assess the target company’s data assets.
3. Review the target’s compliance with relevant cybersecurity regulations.
4. Analyze past cyber incidents for insights into potential risks.
5. Develop a detailed cybersecurity integration plan and include any concerns in contractual language.
6. Establish an incident response and recovery plan.
7. Ensure continuous monitoring and threat intelligence post-acquisition.
8. Audit third-party dependencies and access points.
9. Assign cybersecurity leadership roles within the merged organization.
10. Conduct regular security training for employees and stakeholders.

These steps provide a robust framework for companies to protect their assets and achieve successful, secure M&A transactions.

---

About the Authors

---

¹ John Hauser et al., Cybersecurity Due Diligence in M&A and Divestitures, ERNST & YOUNG, https://www.ey.com/en_us/services/strategy-transactions/cybersecurity-mergers-acquisitions-divestments (last visited Nov. 18, 2024).

² Anjali Athavaley & David Shepardson, Verizon, Yahoo Agree to Lowered $4.48 Billion Deal Following Cyber Attacks, THOMSON REUTERS, https://www.reuters.com/article/business/verizon-yahoo-agree-to-lowered-448-billion- deal-following-cyber-attacks-idUSKBN1601EK/ (Feb. 21, 2017, 4:23 PM).

³ Beth Stackpole, MIT Report Details New Cybersecurity Risks, MIT (Apr. 30, 2024), https://mitsloan.mit.edu/ideas- made-to-matter/mit-report-details-new-cybersecurity-risks.

⁴ Roland Trope & Tom Smedinghoff, The Importance of Cybersecurity Due Diligence in M&A Transactions, BUSINESS LAW TODAY (Sept. 2017), https://www.jstor.org/stable/27031179.

⁵ Seth Fiegerman, Verizon Cuts Yahoo Deal Price by $350 Million, CNN BUSINESS (Feb. 21, 2017, 9:12 AM), https://money.cnn.com/2017/02/21/technology/yahoo-verizon-deal/.

⁶ FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches, FTC (Oct. 9, 2024),

https://www.ftc.gov/news-events/news/press-releases/2024/10/ftc-takes-action-against-marriott-starwood-over- multiple-data-breaches.

⁷ Due Diligence for Mergers and Acquisitions Through a Cybersecurity Lens, DELOITTE (June 15, 2021), https://www.deloitte.com/global/en/services/risk-advisory/blogs/due-diligence-for-mergers-and-acquisitions- through-a-cybersecurity-lens.html.

⁸ Steve Alder, HIPAA Rules and Regulations, THE HIPAA JOURNAL (July 4, 2024), https://www.hipaajournal.com/hipaa-rules-and-regulations/.

⁹ Mitigating Cyber Risk in M&A, CFGI (MAY 8, 2023), https://www.cfgi.com/resources/articles/the-benefits-of-cybersecurity-due-diligence-in-mergers-and-acquisitions/.

¹⁰ GDPR Fines/Penalties, GENERAL DATA PROTECTION REGULATION, https://gdpr-info.eu/issues/fines-penalties/ (last visited Nov. 18, 2024).

¹¹ Andrew Jarvis, Navigating Technical Debt in M&A Transactions: Challenges and Solutions, LINKEDIN (Oct. 7, 2024), https://www.linkedin.com/pulse/navigating-technical-debt-ma-transactions-challenges-solutions-ponqe/.

¹² See supra note 6.

¹³ How SOC Reporting Can Help Assess Cybersecurity Risk Management in Third-Party Relationships — and Beyond, PWC, https://www.pwc.com/us/en/services/audit-assurance/digital-assurance-transparency/vendor- cybersecurity-risk.html (last visited Nov. 18, 2024).

¹⁴ PWC, SUCCESS FACTORS IN POS-MERGER INTEGRATION (2017), https://www.pwc.de/de/deals/success-factors-in- post-merger-integration.pdf.

¹⁵ Paul Cichonski et al., Recommendations of the National Institute of Standards and Technology, NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, http://dx.doi.org/10,.6028/NIST.SP.800-61r2 (last visited Nov. 18, 2024).

¹⁶ Tony Bradley, The Growing Importance Of Cybersecurity In Mergers And Acquisitions, FORBES (Oct. 7, 2024, 1:56 PM), https://www.forbes.com/sites/tonybradley/2024/10/07/the-growing-importance-of-cybersecurity-in- mergers-and-acquisitions/.

¹⁷ The Importance of Cybersecurity Leadership, UNIVERSITY OF TULSA (Dec. 13, 2023), https://online.utulsa.edu/blog/cybersecurity-leadership/.

¹⁸ Supra note 6.

¹⁹ Id.

²⁰ Id.