In mergers and acquisitions, buyers impose stricter conditions on entrepreneurs seeking to sell their companies, including conditions regarding data and privacy (Conijn & Smit, 2023). At the same time, regulatory bodies such as the US Securities and Exchange Commission (SEC) are responding to the escalating cyber threats by expanding their rules about cybersecurity risk management. This article will explain what digital due diligence entails, why it is essential, which eight principles you can follow regarding data security, and how to avoid buying a pig in a poke company.
The role of cybersecurity in mergers, acquisitions and business operations
The heightened scrutiny of cybersecurity underscores the critical need for careful digital due diligence on digital assets and comprehensive risk assessments. In mergers and acquisitions, even a single misstep can have profound consequences, leading to substantial financial losses and reputational damage.
Fortunately, more and more due diligence is also performed for the technological departments of a company. This is not surprising, as technology proves an ever-larger factor in company processes and value driver (Amir et al). Moreover, notorious examples such as the acquisitions of DigiNotar by Vasco, Verizon by Yahoo and Marriott International by Starwood Hotels and Resorts Worldwide have shown the impactful consequences of insufficient digital due diligence.
In 2016, TalkTalk, a U.K.-based telecom business, was fined £400,000 when a threat actor accessed a customer database it acquired earlier was hacked.”: https://securityintelligence.com/posts/mergers-and-acquisitions-without-cybersecurity-risk/
MyFitnessPal was bought by Under Armour. Under Armour has started notifying users of the MyFitnessPal app of a security breach that took place in late February 2018, and during which hackers made off with the personal details of nearly 150 million user accounts. https://www.bleepingcomputer.com/news/security/under-armour-announces-data-breach-of-150-million-user-accounts/
Acquisition of Amerigroup by Anthem in 2012. Anthem estimates more than 246,000 TennCare Amerigroup members have been impacted by the data breach discovered on Jan. 29, 2015.
In the Yahoo incident, attackers successfully executed a spear-phishing attack, targeting a Yahoo employee. Through their credentials, the attackers got access to backed-up data. This example shows the importance of the principle of least privilege, as overprivileged user rights significantly simplify the task for cybercriminals to get into and, through “system hopping” explore the entire network since there was no network segmentation. Breaches like the one experienced by Yahoo can have far-reaching consequences. Combined with another breach experienced by Yahoo, this led to a 350 million-dollar reduction in the deal with Verizon (Athavaley & Shepardson, 2017).
Arguably, all business processes are, to a varying extent, dependent on technology and digital processes. Business and private life seamlessly integrate, and so does the data, including Intellectual property or confidential data valued as goodwill in any acquisition process. This data can sit everywhere, including in-home devices or smartphone storage like iCloud. In this context, digital due diligence is not merely a best practice but an absolute necessity.
Core principles to prevent you from buying a pig in a poke
In our digital world, various reasons exist to perform a digital due diligence assessment. At its core, digital due diligence aims to unearth potential security risks, serving as the foundation for various essential considerations, such as the firm's valuation and identifying the value drivers. This includes intellectual property, software technology, automation capabilities, subscriptions, unique market proposition, and potential threats to these value drivers.
Organisations can substantially enhance their operational efficiency in the long run by identifying security risks before the acquisition. This insight is valuable, as identifying critical security vulnerabilities can potentially stall or, in extreme cases, halt an acquisition entirely or influence the agreed acquisition sum. Consequently, being aware of these risks before the acquisition allows the buyer to request the seller to improve their security measures. Proper digital due diligence significantly contributes to the seamless integration of the acquired entity into the seller’s corporate environment, enhancing business continuity, avoiding hacks and minimising disruptions, or the so-called ‘pig in the poke’.
So thorough due diligence on technology, process, and human capabilities is instrumental in building trust and maintaining a good reputation. An acquisition involves assets, operations, and large quantities of customer and employee data. By identifying potential security risks and regulatory violations beforehand, reputation damage can be prevented. This also includes the evaluation of vendor relationships, as these third-party connections can often be a weak link in the supply chain.
Since company value drivers (value-creating assets) are more shifted towards the software technology in use, assessing the “Secure Software by Design” principles or the use of good practices such as a Software Bill of Materials (SBOM) is needed. The software should be diligently checked to avoid buying technology dept or an inferior software technology stack. Furthermore, digital due diligence not only encompasses technological aspects but also includes evaluating the company’s cyber security culture and the awareness level among its employees. This proves true in the Marriott International case, in which attackers likely gained unauthorised access to the Starwood guest reservation database via a phishing email (Fruhlinger, 2020). The breach had started in 2014, two years before Marriot acquired Starwood, but was not discovered until after the acquisition was completed.
Also, digital due diligence is pivotal in safeguarding intellectual property (IP). Particularly in acquisitions around acquiring specific technologies, the value of these core assets is of great importance. A notable cautionary tale is the case of DigiNotar, where the company’s main assets, its certificates, were illicitly replicated, eventually leading the company to go bankrupt and the acquiring party Vasco, left empty-handed with a “Pig in a Poke”. Comprehensive digital due diligence efforts are crucial in establishing that the IP is legally and technically protected and still holds substantial value. Awareness and deep knowledge of the technological and security status of the company, the leading suppliers and the exact identification of the value-driving assets to be acquired can significantly improve the transition period.
How to conduct Digital Due Diligence (DDD) yourself
The selling and buying parties can contribute to smoothening and accelerating the acquisition process. The selling company could show their security status based on any framework (e.g. CIS8, ISO27001, ISO27701 etc) in the form of periodic statements that they are in control of their digital security, risk, privacy and audits via a structured way of control testing. And adequately following up on audit findings. This is a good practice in general, not just before an acquisition. These so-called in-control statements can be generated with the Anove technology, based on 100+ international frameworks. This technology was developed to ensure companies with flawless strategic, tactical and operational processes. It visualises at all times the risks, security gaps and required actions.
The buying party can assess the in-control statements and use the Anove technology to conduct digital due diligence. The first step in this process is establishing the exact goal behind the acquisition. Do you want to increase your market share, eliminate the competition or even acquire a specific technology? The next step is determining what systems, software, data and other technological assets you need to achieve your objectives. Register all these highly valuable assets and their owners in the Anove application. After that, it is time to assess the risks to which these assets are vulnerable. The final step is to evaluate the controls implemented in the organisation based on a framework like Payment Card Industry Data Security Standard (PCI DSS), ISO27001 or NIST Cybersecurity Framework (CSF) or NIST 800-53 or other families.
- Corporate policies and technical procedures are in place, implemented and maintained (via testing procedures)
- An external security vulnerability assessment is performed in last 12 months
- Strong user account and access management (also for high privilege system users) is in place
- Asset identification and classification is performed
- Software security by Design practices are in place
- Segmentation of assets is performed and maintained
- Audit findings are known and tracked for resolution via a structured process
- Important third parties are known, assessed and periodically evaluated on risk and security
A baseline of 8 DDD statements
Regarding the digital due diligence process, you can do this yourself, but if you want genuine assurance, you must work with an independent technology auditor. In the figure below, you can see the core digital due diligence statements to ask. These are statements that can be answered with a true or false statement. If 50% is falsely answered, you have a Pig in a Poke. This is a subset of a total of forty questions and represents a large portion of a proper initial DDD. The entire DDD set of questions is part of the Anove technology; more information or a trail DDD can be requested via anove.io.
About the Authors
Yuri Bobbert PhD was the global head of IT Security, Risk and Compliance at NN Group NV. In 2018 Bobbert led the digital due diligence and integration process for the NN Group acquisition of DeltaLloyd. The €2.5 billion deal created the largest life insurance company in the Netherlands and was authorized by the Central Bank (DNB).
Iris van Holsteijn is a Young Cybersecurity professional at Anove International.
Athavaley, A., & Shepardson, D. (2017, February 21). Verizon, Yahoo agree to lowered $4.48 billion deal following cyber attacks. Reuters. https://www.reuters.com/article/us-yahoo-m-a-verizon-idUSKBN1601EK
E Amir , S Levi , T Livne Do Firms Underreport Information on Cyber-Attacks? Evidence from Capital Markets. Review of Accounting Studies , volume 23 , p. 1177 - 1206 Posted: 2018
Bobbert, Y., & Mulder, H.B.F. (2010). A Research Journey into Maturing the Business Information Security of Mid Market Organizations. International Journal on It/business Alignment and Governance, 1(4), 18-39. DOI:10.4018/jitbag.2010100102.
Conijn, F., & Smit, R. (2023, October 16). Koper grijpt de macht bij bedrijfsovernames. Het Financieele Dagblad. Consulted on October 25 2023, from https://fd.nl/bedrijfsleven/1493159/koper-grijpt-de-macht-bij-bedrijfsovernames
Fruhlinger, J. (2020, February 12). Marriott data breach FAQ: How did it happen and what was the impact? CSO Online. https://www.csoonline.com/article/567795/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html