Cybersecurity in M&A strategy


Strategic and tactical actions for mergers and acquisitions


Mergers and acquisitions require a mix of strategic and tactical work – cybersecurity is usually an item on the tactical list.

Many organizations are drawing up plans for mergers and acquisitions right now, as leaders look for growth after the pandemic slowdown, and as new business models emerge. However, weakened cybersecurity hygiene throughout the last year means that these M&A transactions elevate the risk of cybersecurity incidents.

“M&A can be a breeding ground for cyberattacks and data breaches,” said Grant Thornton Risk Advisory Services Senior Manager Rohan Singla. “Stringent due diligence that includes a focus on cybersecurity will help reduce regrets later in the deal lifecycle.” Today’s M&A plans need to include cybersecurity at several strategic and tactical points, to address growing scrutiny from regulators and other evolving cybersecurity risks.

Cybersecurity risks in M&A

  • Regulators worldwide are increasing scrutiny on deals, to protect the data of citizens and reduce threats to national security
  • Fines for non-compliance are rising as regulators look to set examples
  • Acquiring targets with poor cybersecurity and privacy hygiene will cause customer mistrust
  • Dormant hackers within the target’s network can find a new opportunity to strike after M&A
  • Existing vulnerabilities and poor cyber hygiene of targets will be inherited and will have to be remediated
  • Insider threats have grown – including targeted attacks on top executives, negligence and deliberate sabotage
  • Unreported data breaches can be identified and stop or delay the deal




Create an M&A cybersecurity playbook


As an M&A deal progresses through its lifecycle, cybersecurity and data privacy risks steadily increase.

To successfully identify and monitor these risks in an ongoing and repeatable way, companies need an M&A cybersecurity playbook. “A repeatable cybersecurity playbook must be developed and followed when getting into a deal,” said Grant Thornton Cybersecurity and Privacy Principal and Leader Derek Han.

“Cybersecurity and data privacy should be an area of focus at every stage of the deal lifecycle. Senior executives tend to have a lot on their plate during the deal lifecycle and being prepared with a playbook beforehand can help reduce anxiety,” Han said.

M&A cybersecurity playbook





The M&A cybersecurity playbook can be broken into four stages:

  1. Screening: Plan for cybersecurity from the very beginning. During the screening stage, have a key stakeholder looking out for cybersecurity and privacy risks. Information security leaders within the firm are ideal candidates for this position. Involving them early at the beginning of the deal lifecycle is critical to ensuring a cybersecure deal. Also identify the target’s information security team composition and qualifications.
  2. Due diligence: Due diligence is the most important stage of the deal before day one of the transaction, and cybersecurity and privacy must be thoroughly evaluated at this stage to avoid any future regrets. Conduct cybersecurity risk assessments, vulnerability scans, penetration tests, and compromise assessment to the point agreeable. Evaluate compliance with privacy and regulatory requirements and look out for past and current findings or security and privacy incidents. Lastly, remember that everything has a cost associated with it. Factoring in every dollar required to assess and remediate cybersecurity vulnerabilities, upgrading outdated cybersecurity practices and capabilities, such as technology licensing costs, third-part consulting costs, integration costs, training and awareness costs.
  3. Announcement: There can be a lot of media coverage during the announcement stage, which sometimes alerts malicious groups and other threats. The risks go up significantly from this stage onwards, and risks must be monitored proactively. This is also a stage where strategic and tactical decisions need to be made.
  4. Closure: When the deal is being completed in this final stage, the cybersecurity and privacy actions required for success are far from being complete. Cybersecurity integration in this stage can be the most challenging part of the deal journey, as the acquirer and target looks to integrate capabilities across both firms.




Create an M&A cybersecurity framework


An M&A cybersecurity framework can provide a template for guiding cybersecurity integration.

M&A cybersecurity framework




The framework builds upon the careful consideration given to cybersecurity and privacy matters during the due diligence stage. The findings from the due diligence results lay the foundation for the integration effort.

The cybersecurity framework should focus on four key factors, with the end in mind:

  1. Enable business goals
  2. Reduce cyber risks
  3. Advance cybersecurity program maturity
  4. Contain business-as-usual (BAU) costs

Consider building on existing and required capabilities across these cybersecurity capabilities:

  • Network and infrastructure
  • Identity and access management
  • Application security
  • Security operations
  • Endpoint protection
  • Data protection
  • Insider threats
  • Third party risk management
  • Training and awareness
  • Security compliance




Execute the M&A cybersecurity plan


Your M&A cybersecurity execution plan needs to leverage the M&A cybersecurity playbook and framework with both tactical and strategic actions planned along the M&A journey. Below is an example, although the tasks, duration and sequencing must be tailored to your specific transactions.

Sample M&A cybersecurity plan





Tactical actions:

  • Specific cybersecurity threat monitoring must begin on day one and continue for at least the first phase of the merger or acquisition.
  • The due diligence risk assessment feeds into remediation of the high-risk issues, followed by remediation of the medium-risk and low-risk issues if needed.
  • A compromise assessment provides important input for identifying and isolating potential incidents and taking immediate actions to address them.

Strategic actions:

  • A comparative analysis of cybersecurity capabilities will inform the cybersecurity consolidation, business solution migration and subsequent support.
  • The cybersecurity integration strategy forms an important foundation for integrating cybersecurity policies, processes, and suppliers.
  • The target operating model for cybersecurity, once designed and established, will implement a one-team approach in supporting the cybersecurity program going forward with defined performance metrics and control monitoring.

The M&A cybersecurity playbook and framework execution must include change management to ensure that business users are on board and can continue business as usual. Throughout the M&A transaction, your project management and change enablement resources should be fully engaged. Make sure to prepare your team’s skill sets, bench strength and industry expertise in advance. Evaluate and prepare any additional internal and external cybersecurity resources that you will need to call upon during the transactions.

In the crucial period before and after a merger, cybersecurity teams have a unique opportunity to reduce risks and add value to the business. However, they must employ careful planning, precise execution and close consultation with business and IT leaders to ensure a successful cybersecurity integration.






Our cybersecurity and privacy insights