5 min read

Cyber due diligence is increasingly taking the spotlight when considering M&A transactions. With the rise of cyber attacks across organizations, acquirers are now having to address the impact of a target company’s incidents to determine the deals they make. According to EY Global Information Security Survey 2018-19, 77% of organizations have limited cybersecurity. Cyber due diligence is important to avoid the devaluation of your organization.

What is cyber due diligence?

The official definition of cyber due diligence is ‘the review of governance, processes and controls that are used to secure information assets’. Essentially, cyber due diligence teams will gather a target’s risk profile and make recommendations to the purchaser.  

Would you buy a home without having it inspected by a surveyor? Many people wouldn’t. In the past, the lack of inspection has proven to cause traumatic consequences. Take the Grenfell Tower fire of 2017. The lack of inspection in the build, design, and maintenance of this residential building (and many others discovered after the tragedy) has made building due diligence a crucial aspect to many organizations. The same can be said when applying cyber due diligence. Proper attention to issues within a target company will allow more informed decisions and safer outcomes.

The importance of cyber due diligence is seen through the example of Yahoo! In late 2004, senior offices and legal staff learned that unauthorized access to its computer network had been gained by what Yahoo! had identified as ‘state-sponsored actor’. However, the board had not received a report. In 2016, Yahoo! and Verizon Communications entered a stock purchase agreement. Yet, around the same time, a hacker claimed to have obtained Yahoo! user data. Shockingly, after doing checks they found that up to 500 million user accounts had been stolen from Yahoo!’s network in 2014. Not surprisingly, this meant Yahoo! had to modify their terms with Verizon.

This proves how cyber due diligence is essential when making M&A transactions as it strongly influences the decision of the acquirer in regards to their target company. 

Financial, Legal and Technical Due Diligence

Although cyber due diligence does not provide an accurate picture, it still allows the acquirer to have a good approximation of the condition of a target’s digital assets. An acquirer will have a process in their assessment of a target company and will examine:

• How much money does the company have, spend and earn? 
• What are the margins of the target’s competitors?
• Is the company in any debt?

This is financial due diligence. Every investment has a level of risk. There needs to be in-depth research to understand the risk well, and to avoid any harm to either party in the transaction. Avoiding financial due diligence can result in misunderstandings from the investor and cause them to be responsible for financial loss after the deal is closed.  If you’re a business owner, ask yourself:

• Does your company own the software?
• What is the IP ownership of the software your company has created?
• Is your company in compliance with its legal obligations with respect to software licences, software updates, data protection and processing laws?
• What are the risks if compliance fails?

Here we have legal due diligence. This helps both entities work together to push forward a deal by addressing any legal problems that might be obstructing a decision. So this is when an M&A document will be produced. Legal due diligence is very important: the general law does not, in the absence of fraud or misrepresentation, protect the acquirer if they later see the business is not what they understood it to be. So buyer beware! Understanding the target’s liabilities is crucial. Make sure your legal team knows what they are doing, as they have the important role of communicating to external advisers.

• Assess the infrastructure of the company 
• Assess and network of the company
• Assess the security and intellectual property risks of a company’s software products by reviewing its software bill of materials (SBoM).  Are all the software’s dependent components used according to their respective licences and rightfully owned?  Are the third party and open source software free of security vulnerabilities?
• Evaluate the cybersecurity program protecting the high-value digital assets: is it appropriate?

• Look at the target company’s previous breaches and how they responded to the incident?
• Assess the target’s resilience and ability to resist cyber attacks on their digital assets in the future

Be a technical due diligence wiz and know what your technical assets are. Technical due diligence allows to identify any vulnerabilities within the software or network of the target company. Look at the product, the infrastructure and its processes. Many software applications rely on open-source software components. If left unsecured (or used at whim without due diligence assessing its risk to the business), this creates a potential weakness for organisations from two aspects. Firstly, vulnerable open source components are popular attack vectors for cyber attackers. Secondly, having components with a licence that’s not compatible with your company’s policy could harm your business. Companies should make sure their software is being used in compliance with its licence so they can avoid being sued for improper use of intellectual property.

As seen with the example of Yahoo!, the lack of technical due diligence allowed Verizon to make an uninformed decision. Although this was also a problem with Yahoo! not disclosing the issue, it shows how legally the deal had to be adapted and both companies suffered financial loss. This shows the integrated importance of financial, legal and technical due diligence, and the areas that need to be addressed by the acquirer during M&A transactions and considerations. 

How can Meterian help with due diligence process?

With Meterian, you can automate the due diligence of identifying and patching open source risks in minutes. Immediately see if open source components used in your team’s project code bases are free of security, stability and licensing risks. So that you don’t run into any surprises down the line in your code’s software supply chain. 

Although open source applications are built to a very high standard, open source software does not come with any guarantees of quality.  It is the user of the open source software that is responsible for assuring its quality (and therefore data processing security). There are still licence agreements one must comply with.  Since anyone can download and use open source software, without payment, it’s difficult for organisations to know what’s used in their code bases. Meterian helps companies ensure their software is audit ready and all open source licences are compliant and business friendly. Our software scanner runs and checks as developers build the software, so why not put your mind at rest and strengthen your business? See sample reports and analyse 1 free codebase by signing up on our website today.