The cybersecurity industry is in the midst of an M&A wave as larger companies are expanding their product lines via inorganic growth. This has been the case with recent deals such as Symantec and Blue Coat, Avast and AVG, Cisco and CloudLock, IBM and Resilient Systems and Carbon Black and Confer. Cybersecurity is hot because the stakes are so high. Hacking has become more sophisticated and frequent, which ups the demand for security products that can better detect, defend and remediate cyber threats.


Corporations know that not having the most advanced and sophisticated cybersecurity solutions come at an enormous cost. Analysis from the Ponemon Institute found that the average cost for a data breach to a large company stood at $3.8 million in 2015, up 7.6% versus the previous year. The number of daily attacks, many of which are thwarted, are approximately 500,000, while the total global costs have been estimated by McAfee at up to $400 billion per year. Avoiding breaches, therefore, has become an ever more pressing issue for companies.

Cybersecurity risks are not limited to financial services or health care businesses, whose recent losses of cardholder or patient data grab headlines. For example, Yahoo recently disclosed what may well be the largest known breach of user information amid its pending acquisition by Verizon. An attacker had obtained data including user names, email accounts, passwords, telephone numbers and street addresses for at least 500 million customers.

 M&A professionals are aware that cybersecurity is a risk category in its own right. Online threats have grown to become a prime concern among businesses engaged in M&A because of the possibility they could derail the deals. As recently as the 1990s, the merger process looked very different in terms of data security. Back then, the deal was practically all done on paper, maybe with a few floppy disks, which were boxed up and stored in a locked room. That was the extent of most companies’ cybersecurity protocol.

Today it isn’t that simple. Because companies rely so much on cloud and digital storage, they don’t necessarily know where the information resides, how it’s shared or even who has access to it. So all the standard security measures which a company has put in place takes on greater significance when it gets into an M&A discovery and negotiation process.

According to a recent survey of executives involved in M&A, conducted by Mergermarket, 23% of acquirers said they had walked away from a deal due to security issues, which could include compromised networks, data breaches or poor compliance practices. Acquirers commonly discover problems after the fact: 40% of the respondents in the Mergermarket survey said they had found issues after deals had closed. Nearly half of the Mergermarket survey’s respondents—47%—said that they use pre-M&A reviews to “plan for fixes,” presumably with the intention of closing the deals. A third of them said they use the information provided to decide whether to proceed with deals, and a fifth of them said they use evaluations as a pretext to renegotiate prices.

In addition to reviewing cybersecurity measures, throughout the course of a deal, companies must protect against employees or outsiders stealing sensitive deal information and downloading trade secrets. Companies on both sides of the deal need to pay close attention to insider threats and cybersecurity risks involved in the due diligence process. How they safeguard critical information – while at the same time providing access to for legitimate third parties like lawyers or accountants – rises to a whole new level of importance.