The Bedel Security Blog

Cybersecurity Due Diligence During an Acquisition

Written by Brian Petzold | May 3, 2019

When acquiring another company, it is common to perform due diligence to ensure that there are no surprises. For a financial institution, this due diligence usually focuses on auditing financials and ensuring that there are no surprises in the loan portfolio. Many institutions don’t think of cybersecurity due diligence much when making an acquisition, but they should. The cost of unexpectantly adding controls later may take a considerable bite from expected profits.


There is also the risk that the company being acquired may have already been breached. Recently there have been some notable cases where companies discovered too late that their new acquisition had been breached before the merger. These companies then had to deal with the expense of dealing with the breach as well as the PR backlash from not discovering the breaches during due diligence. To avoid cybersecurity surprises after an acquisition, we are providing these tips for performing due diligence before the acquisition:

  1. Ask if any breaches have occurred: If the seller has experienced a breach, you need to know about it so that you can research it to ensure there will be no more damage. Sellers are not always eager to share this news, so it is usually a good idea to directly ask if there have been any breaches or other notable security events in the past.
  1. Assess the cybersecurity controls that are in place: Even if you plan to immediately replace every control immediately, you should assess what is currently in place. This will help you to identify areas where you may want to dig deeper to ensure a breach has not already occurred, and will highlight areas where you may need to focus on education of staff after the merger.
  1. Perform a penetration test and vulnerability assessment: A penetration test can help you gauge the likelihood that a breach has already occurred. If the tester can immediately breach the network of your potential acquisition from the Internet, there is a pretty good chance that someone else already has. A penetration test or vulnerability assessment will sometimes also uncover signs that a breach has already occurred. The vulnerability assessment will also help estimate how much work your IT staff will need to do to bring systems up to your standards.
  1. Look at policies, standards, and procedures: You can determine a lot about the cybersecurity maturity of the other company by assessing the policies and procedures. If they are strong, you will find it easy to talk to their employees about security. If the policies and procedures are weak, you may find that it will be difficult to convince their staff that security is important.
  1. Look at the risk assessment: Ask for a copy of the most recent risk assessment. Consider performing a risk assessment if there is not one that is recent, especially if you plan to retain the existing systems for a long period of time. The risk assessment will help to identify missing controls at the asset level that may have escaped scrutiny during other assessments.
  1. Look at audit and exam findings: Audits and exams will often highlight areas where improvement is needed. You will inherent these findings, so it is best to understand them before the sale is complete.

Out of all of the assessments above, be sure to list any required actions and to assess the approximate cost of remediation. While in the due diligence stage, you still have an opportunity to negotiate these costs into the deal.

Bedel Security often assists our customers in performing cybersecurity due diligence of potential acquisitions. If you need some help in this area, please do not hesitate to contact us at support@bedelsecurity.com!