7 Tips for Conducting Effective Cybersecurity Due Diligence in M&A Transactions

Latham & Watkins LLP

1. Start Early

Buyers should begin conducting cybersecurity risk assessments early in the engagement process. The target should be able to identify which information technology systems and data sets are key to the business and explain how the company protects them.

2. Tailor Diligence

Based on the information gleaned during the initial risk assessments, the buyer should tailor its diligence based on the type of information being handled, the industry, and how important information security is to the target’s bottom line.

3. Assess Awareness

Does the target’s management team have cross-functional awareness about cyber risk and the their security program? If so, this is a sign of a mature security program. A security program will not be effective if it exists in a silo inside the information technology department. All substantial stakeholder departments should be involved in cybersecurity risk management.

4. Ask the Experts

In order to accurately assess cyber readiness and potential liabilities, buyers should assemble deal teams that include subject matter experts. The deal team should be nimble and focus on the specific industry, as cybersecurity risks are highly variable across sectors.

5. Ensure Payment Card Industry Compliance

If the target accepts, processes, stores or handles cardholder payment data streams, buyers should pay special attention to compliance with the payment card industry data security standards (PCI DSS). When done correctly, PCI DSS compliance is costly and requires constant adaptation and optimization to new threats and standards.

6. Consider Other Risks

Payment and card security are not the only risks to be concerned about. Theft of trade secrets,  state-sponsored espionage and cyber attacks that cripple corporate networks can be just as damaging to a target business. Buyers should ask questions about any historical incidents in these areas and assess the target’s measures for preventing similar future breaches or attacks.

7. Consider Cyber Insurance

Buyers should evaluate which of the target’s cyber risks will be mitigated by insurance coverage. Today, most cyber insurance policies cover a data breach and the crisis management expenses associated with complying with data breach notification laws.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Latham & Watkins LLP | Attorney Advertising

Written by:

Latham & Watkins LLP

Latham & Watkins LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.