Over the years, we have seen an increase in mergers and acquisitions throughout the United States. Statistics reveal that between July and September 2021, mergers and acquisitions occurring across industries including finance, commercial services and manufacturing reached over 4,700. In previous years the due diligence process during a merger and/or acquisition consisted of reviewing financials, accounts receivable, customer database, products/services, facilities, etc.
In the past, information technology (IT) was not a critical area as it is today. With all of the technology improvements became more cyber risk therefore, an IT due diligence is a critical step and must be including in the due diligence process before a merger or acquisition occurs. The objective of the review process is to determine the cyber risk and develop a Plan of Action to mitigate the risk. Many companies may not have an updated Information Technology Infrastructure and may have End of Life equipment which would be a costly expense to update. A comprehensive evaluation must be completed to have a global overview of the company. IT due diligence should consist of evaluating equipment, software, software license, data protection process, cybersecurity, IT Infrastructure, etc. Some items to be covered are:
- How does the company store and protect sensitive data?
- Evaluate software licensing
- Evaluate equipment for Out of Date / End of Life issues
- Have they experienced a breach?
- Complete a Cybersecurity Risk Assessment
- Have they implemented cyber solutions to reduce the exposure to a breach such as Endpoint Protection, Security Operations Center/Security Information and Event Management (SIEM/SOC), Patch Management, Multi Factor Authentication (MFA), Mobile Device Security, etc?
- Do they have firewalls, backups?
- How are they backing up their data and how often do they backup?
- Have they implemented cybersecurity policies and procedures?
- Do they have cybersecurity insurance? If so, are they meeting the requirements?
- How often are they conducting Vulnerability Scans? Are they fixing vulnerabilities in a timely manner?
- Evaluate the experience and expertise of the Information Technology staff
Evaluating Cybersecurity Policies is crucial since polices are the foundation to a strong and secure Information Security Infrastructure. For policies to be effective they must have procedures outlining the steps of implementation. In addition to evaluating the cybersecurity polices / procedures, completing cyber due diligence questionnaires, a Security Risk Assessment must be completed. A detailed Security Risk Assessment identifies any existing cyber security issues to better understand the cybersecurity risks facing the merger or acquisition.
An in-depth IT due diligence allows the buyer to identify the current IT infrastructure including any legacy systems. Cyber threats are at all time high especially since the United States are receiving cyber threats from Russia. Therefore, it is highly recommended to add an IT Due Diligence to the review process before a merger or acquisition occurs.