cyber security due diligence in M&A

This article is written by Kashish Goel, pursuing Diploma in M&A, Institutional Finance and Investment Laws (PE and VC transactions), from LawSikho.

Regardless of the size of your business, big or small, a leader should have proper security measures in order to guard their data from cyberattacks and should continuously improve their practices in order to do so. Compared to other due diligence activities such as financial assessment, legal assessment, due diligence in cyber space in a relatively new field to assess risk management.



We are living in a digital age, though it seems more efficient than the previous one, Digital age comes with its own challenges and problems. According to The Institute for Mergers, Acquisitions and Alliances in the year 2018 about 49,000 transactions took place with a value of about $3.8 trillion USD in the world. As the world went digital some operations in the space of Mergers and Acquisition also went digital in the process of Due Diligence that we know as Online Data rooms.

Traditionally, the operations in the process of due diligence based their attention on business operations, finances of the firm, legal and human resources but due to the advancing technicalities of the business cyber security is gaining recognition as a fundamental element in the process of due diligence.

What is cyber security due diligence?

Cybersecurity due diligence is a process by which we can identify and remediate the cyber risks of third-party. In order to identify risk associated with the potential target for a M&A transaction it is used often. During the process of due diligence, organisations collect insights of the 3rd party’s existing efforts for the protection of their data. By conducting this process correctly, the acquirer becomes aware of any irregularities that the company will be assuming from the third party.

In absolute simple terms, it is a step of the due diligence process where the acquirer checks the quality of the protections that the acquiring company has over its data stored digitally and whether or not, there has been a situation where the said data was compromised. Its importance can be understood by the case of Marriott International and Starwood Hotels and Resorts explained below. The importance of this step in the process of due diligence can be explained in the following example:

Marriott International’s acquisition of Starwood Hotels & Resorts

On 16th November 2015 Marriot announced its plan to acquire Starwood. The merger was approved by the stockholders of both the companies on 8th April, 2016 and the merger was closed on 23rd September, 2016 with the Federal Trade Commission. (Detailed Documents)

This Merger also underlines the impact one M&A transaction can have if cybersecurity due diligence is not conducted properly. The deal which took place in 2016 which led to the creation of one of the world’s largest chain of hotels, gave both the companies access to 5,500 hotels in over 100 countries. But, due to failure in the due diligence by Marriot, it was discovered later that Starwood’s system had been compromised in the year 2014. Marriot uncovered this breach in the year 2018 that the guest reservation database of Starwood has exposed personal data of over 500 million guests worldwide.

The UK ICO fined Marriot £99 million GDPR penalty, noting in its report that Marriott had failed to undertake sufficient due diligence during the merger and should have done more to secure its systems.

When is due diligence required?

Due diligence to conduct in the area of cyber security is important more than ever before, as cyber security due conducts a check on the measures taken by the target company in order to protect its data and now we are creating more and more data per day than ever before.

“Let’s look at some statistics provided by the Visual Capitalist for how much data generated each day:

  • 500 million tweets are sent
  • 294 billion emails are sent
  • 4 petabytes of data are created on Facebook
  • 4 terabytes of data are created from each connected car
  • 65 billion messages are sent on WhatsApp
  • 5 billion searches are made

By 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!”

According to a report made by UC Berkeley, it was estimated that about 5 exabytes of new information was created in 2002 of which 92% was stored on hard disk drives. In the year 2000 only half of this data was produced. The amount of data that was transferred over telecommunication systems was about 18 exabytes, 3.5x more than that was recorded on a non-volatile storage. The researchers estimated a growth rate of new stored uncompressed information to about 30% a year.

From the above stats we can clearly see that more and more data is created each year and businesses are also creating this data, and storing it in their servers, databases all around the globe. And as we have discussed in the Case of Marriott International above, it is clear what we require cybersecurity due diligence in order make sure that the data of the parties involved is not breached and the privacy of their data and customers is maintained.

Benefits of this Cybersecurity due diligence

  • Assessing the risks in the particular transaction before taking on liability.
  • It helps in identifying if there are any issues that may warrant in the restructuring of the deal.
  • Understanding the landscape and identifying the common threats.
  • It also helps the acquirer get knowledge about the type and to what extent the target company protects its data. Let’s see the steps to conduct cyber security due diligence.

Step-by-step process for conducting cyber security due diligence in M&A transactions


  1. Evaluate cyber security maturity and management
  2. Evaluate nature and risk profile of the data
  3. Evaluate cyber readiness to comply with key principles and regulations
  4. Evaluate third party as well as deep and dark web exposure
  5. Evaluate cyber insurance coverage

Conducting Cyber Security Due Diligence- Step 1

The conduction of due diligence should not be reserved just for the large acquisitions. In the modern times the businesses on every scale are using modern tools, IoT, and digital connectivity services in order to conduct their business, transacting payments, and other services.

These technologically advanced services open many more occasions in order to the cyber criminals to do malicious attacks, disrupt business, steal data. So, doing cyber security evaluations and audit so that each and every detail that could be a potential threat could be uncovered. It can be seen as an opportunity that by bringing the two parties together and have a greater firewall in their business going forward.

The first step in this endeavour to unearth the breaches in the data securities would be the DATA INVENTORY, the fundamental knowledge about data where it is collected, what is stored, where it is stored and especially how it would be disposed of. By doing this any potential breach in the regulations be national and international would be found and the further obligations that would apply.

By conducting a review of all the external and internal firewall audits and assessments this would find the potential weaknesses of the potential and would also prove critical for uncovering any data breaches that were not undisclosed.

Conducting Cyber Security Due Diligence- Step 2

Now that we know and establish what needs to be protected and from what we need to protect, the next hurdle is to know and understand who has an authorized access to the data, and how it is used and what are the devices that are used for the access. The effectiveness of cyber security depends on how well they are able to protect any sensitive data on any device within any application, anywhere in the world.

In order to maintain all the security that is needed, it is essential to know the endpoints of all the applications, along with the policies that only allow the authorised users to access the sensitive data.

By undertaking evaluations in a detailed manner of all the systems and network, the endpoints in the target enterprise, this would be vital for the people of the M&A team to work and analyse the data they have so theta they can make a strategy in order to eliminate the potential cracks in the security foundation that may potentially mean future threats.

This will be critical, going forward, for planning how both entities combine and integrate their IT systems and processes. This should include aligning both IT organisations to address risks like insider threats, compliance concerns, and any potential external infiltration risk points that could impact ongoing data management and protection strategies.

Conducting Cyber Security Due Diligence – Step 3

Organisations participating in M&A activities must have full visibility into their own systems as well as those of the companies they are acquiring if they are to give security the attention it needs during a takeover process.

For example, if an unauthorised user with administrative access is making requests for data on a database with customer information, the acquiring firm must address that concern beforehand. This will include reviewing all security-related policies within both organisations and scrutinising target systems and data.

To safeguard the integrity of business-critical systems, the M&A investigative team will also need to lay the foundations for an integration strategy that eliminates any risk of introducing new vulnerabilities as platforms, solutions, and services are brought together. To ensure a safe IT ecosystem, organisations will need to ensure they are able to enforce granular security policies that include data encryption – across all applications, data lakes and beyond – real-time data loss prevention, user access controls and continuous monitoring in place to gain full visibility into both user activity and applications.


The need for cyber security is growing as the business is growing and using more and more space in the digital world. So, in a situation where two or more companies are getting in business deal, it is one most the most important aspect of a due diligence process to conduct a thorough due diligence in the area of cyber security irrespective of the size of the business as if the breach is found it will not save the company huge sums of money in terms of penalty as we saw in the case Marriott-Starwood but the privacy of the customers. The threats regarding cyber security will be on the rise and no one can provide 100% security against these threats, but one can minimise the impact by fulfilling its duty to do what they can in order to protect their data not only regarding their business operations but in regards to the business they acquire as well.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here