Cyber Security Due Diligence

Automatic Data Processing (ADP) recently purchased WorkMarket, a payroll company, in January of this year after WorkMarket.  In and of itself this Merger and Acquisition story is uneventful, except that the WorkMarket positioned itself above other possible acquisition targets by having solid cyber security.    WorkMarket satisfied the Risk Management, Cyber Security and Financial Crime specialists ADP sent to the company as part of the due diligence process phase of the acquisition.  ADP rejected other companies that did not pass this new aspect of due diligence.

Companies cyber security is now a part of the acquisition due diligence phase of mergers and acquisitions.  The most popular impact that failed cyber security has had on an acquisition is the story of Verizon’s purchase of Yahoo.  Initially, Verizon offered $4.48 Billion for Yahoo but ultimately renegotiated the acquisition deal after discovering the extend of Yahoo data breaches.  Verizon bought Yahoo for $350 Million – a loss of $4 Billion for Yahoo shareholders!

The question is: What gets accessed?  The assessment is a logical evaluation of the data and network.  Here’s the inspection points:

An in-depth assessment of the Network:  A physical assessment of the network is completed including penetration testing, a check to make sure that all patches are current and a check that the network is properly protected.  The policies and procedures are also evaluated.  Undiscovered breaches would be a bad thing to happen in this phase!

National Institute of Standards and Technology:  Does the company follow and adhere to cyber security best practices that address interoperability, usability and privacy? Do they adhere to suggested configurations and vulnerability management?

 Network Employee Evaluation:  The Certifications and training of their network employees will be evaluated.

Third Party Vendors:  An evaluation of which services are relied upon to deliver portions of the network or network services will be reviewed.  The structure of the network will be reviewed including its cloud components and how the company assesses the vendors for their network components.

Their Physical security:  All the best cyber security in the entire world can quickly be undone is someone can enter your facility and access the network.

Regulation:  Relationships with regulators and regulatory action will be investigated. Prior breaches and how breaches are handle would be assessed.

Data Usage and Privacy policies.  A check of various Privacy policies, since they change over time, will be made and an evaluation of various data usage policies and how the Acquiring company can use the data moving forward.

Startups and small companies who want to be targeted for acquisition, must now make cyber security and safeguarding their network a high priority to avoid being discarded as too risky in the due diligence phase.

Sources:, Cyber Security Due Diligence in M& A Transactions, Sullivan and Cromwell, LLC., John Evangelakos





Leave a Reply

Your email address will not be published. Required fields are marked *