Close this search box.
Close this search box.

Cybersecurity Due Diligence: 6 Key Questions To Ask Your CIO Before An Acquisition

Given the current cyber environment, one would expect cybersecurity assessment to be a standard component in the M&A due diligence tool kit. Surprisingly, that’s not always the case.

Given the current cyber environment—with companies of all types targeted by hackers, and with large, sophisticated organizations reporting major data breaches—one would expect cybersecurity assessment to be a standard component in the M&A due diligence tool kit.

Surprisingly, that’s not always the case: one recent industry study found that 78% of deal makers believe that cybersecurity is not a risk that’s currently analyzed in-depth, or even addressed properly in the due diligence process.

For buyers and sellers alike, expertise in assessing data-related risks must be applied at the front end of every transaction and throughout the deal, to gain a reliable and complete assessment of the target company’s cyber exposure and readiness. This will ensure that deal terms and deal value are equitable, and that post-closing opportunities to strengthen security can be implemented. applied.

Here are a few critical questions that buyers should ask, and that sellers should be prepared to answer, in the due diligence process:

What’s the nature and risk profile of the data? The target company should clearly articulate what IT systems, data sets and business processes are most valuable and vulnerable, and explain how the company protects and exploits them. This review is only partly about data privacy, as contractual rights and IP protection can also affect the data’s valuation.

What cybersecurity controls and crisis management plans are in place? The target company should summarize administrative, technical and physical information security controls that safeguard its most critical data sets. These include technical controls—boundary and malware defense, data encryption, intrusion detection systems, etc.—administrative measures and physical security. A documented crisis management/incident response plan should also be in place.

How cyber savvy is senior management? If the target company’s senior leadership does not demonstrate a sophisticated understanding of data security risks, that suggests the responsibility is siloed within the IT or information security functions. If the entire internal culture is not focused on data security, the company is at much higher risk.

What’s your 3rd party exposure? If vendors hold or have access to sensitive data, the target company should have a formal vendor risk management program, as well as detailed agreements and supervision disciplines that address a broad range of legal, liability and procedural issues.

What does your cyber insurance really cover? Most cyber insurance policies cover expenses related to data breach and privacy crisis management, but buyers need to closely examine policies for details, such as exclusions, deductibles, coverage periods and limitations.

Can we stress test your security protocols? A target company’s evidence in due diligence can sometimes be aspirational, rather than reflective of operational reality. A primary due diligence objective should be to probe and test, within reason, whether the target company’s representations stand up to scrutiny.

Most officers and directors understand the impact of software application and data security vulnerabilities on their organization’s profitability and reputation, as well as the disruption to productivity and business processes. However, M&A practices are only now beginning to adopt the rigor and sophistication required to properly evaluate those assets and risks prior to a transaction.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.