Cybersecurity in DD

This topic contains 3 replies, has 4 voices, and was last updated by  Rochelle Ramos 1 year, 2 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #110343


    Do you believe that a target’s cybersecurity mechanisms are an important part of the due diligence consideration? If so, to what extent would your team go both from a technical and legal standpoint?


    Maria Villanueva

    Absolutely! IP is one of the key commodities of any merger/acquisition and it is important to know what level of risk the IP has been based on cybersecurity measures inherent to the target company. Depending on the products and services, I would do a risk assessment first and then audit the controls in place. For example, I’ve been in the field of medical device and Dx product design and development and know for a fact that our servers are constantly under attack by hackers from other countries. It’s amazing to get some actual data on how many times this happens in a day. And the occurrence has just become more familiar as the internet and tools become more complex. The design is at risk and the IP becomes at risk. Also one thing to note is that most of the regulated device are using mobile platforms and this puts patients at risk as well if the database or algorithms of the device are affected. Yes, it is totally important in due diligence to assess the risk it poses and the security measures and mitigation controls in place to eliminate the risk.


    Adam Bates

    Yes! Information security is a critical component to due diligence. The acquiring company’s information security team should be heavily involved with understanding how the target company’s information security program operates, identify and understand known vulnerabilities, and build any risks into the deal model and integration plan. Identifying and mitigating obvious risks, not just in technology, are critical to a successful acquisition.


    Rochelle Ramos

    Definitely! The extend of involvement can become very complex, depending on the type of company. For example, I previously worked for a escrow company where we assisted with the signing of mortgage and title documents for the purchase of property. Risk of identify theft, fines for not protecting individual’s personal information, and the damage that can be done to a companies reputation for putting information at risk, can be a huge concern during the due diligence phase. Having your IT or Security team heavily involved will help identify the risks, steps that will need to be implemented either before the final sale or immediately after, and costs to implement. Large financial risks that could be identified might even change the decision of acquiring the company.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Loading.. Please wait