Even though cybersecurity considerations have become part of the mergers and acquisitions (M&A) process, data breaches remain commonplace at acquired companies, raising suspicions that cybersecurity doesn’t get as much attention as it should, according to a recent TechCrunch article .

“The fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats,” the article says.

The author makes it a point to mention that “past or potential cyber threats are no longer ignored in the due diligence process,” but stresses that pressures associated with the M&A process result in overlooking cybersecurity concerns. Buyers typically are given three to six weeks to decide whether to bid on a company, leaving them little time to consider cybersecurity issues.

Instead, acquirers tend to focus on more traditional due diligence considerations such as valuation, accounting practices, debt and synergies between the acquiring and selling company.

These are all important factors, of course, but neglecting a company’s cybersecurity practices can have serious consequences. If weak cybersecurity practices surface after an M&A deal is completed, the acquiring company is likely to end up owning the liability for any potential breaches.

It Matters

The TechCrunch article argues for the inclusion of cybersecurity, and we may already be seeing this trend in the right direction. (ISC)² conducted a study in 2019 showing that security considerations have indeed become a major influencer in M&A deals.

The Cybersecurity Assessments in Mergers and Acquisitions  report from (ISC)² revealed that cybersecurity audits have become standard practice for all respondents. Survey respondents consisted of executives and advisors involved in M&A activity. In addition, the study found that an organization’s cybersecurity tools and practices, and overall security posture, can determine the fate of a deal.

Furthermore, nearly half of respondents (49%) said the discovery of previously undisclosed security breaches would derail an agreement, and (77%) make M&A recommendations based on the strength of an organization’s cybersecurity program. The research also showed that 95% of respondents consider cybersecurity programs a tangible asset.

IT’s likely that while buyers are taking cybersecurity concerns into consideration, they are prioritizing them less than other considerations. It’s a calculation that each acquirer has to make on a case-by-case basis, but from a seller’s perspective, the relevant point is that cybersecurity programs and practices matter. And as more attention is drawn to it in the M&A process, as the TechCrunch article is urging, they will matter more and more.