Cyber criminals are focusing on M&A transactions like never before, and unless you assume the risk, “Buyer Beware!” There are several threats to information systems during the M&A process, both from internal and external factors.

As with any other business process evaluation during an M&A transaction’s due diligence process, there are several documents and procedures that should be reviewed when considering inside and outside threats. These include, but are not limited to, threats from unhappy employees who may feel that they are not getting what they deserve or from enterprising criminals who want to profit.

Security and data privacy:

  • Does the organization have a security policy that is documented and enforced?
  • Does the organization have a data privacy policy that is documented and enforced?
  • Does the organization have an incident response policy that has been tested within the past year?

Patching and change management policy:

  • Are systems in the target’s enterprise kept up-to-date with security patches?
  • Are they only running vendor supported operating systems and applications?
  • Does the organization have a strong change management process, and do they enforce that process?

Security assessments:

  • Does the organization regularly (at least annually) have a third-party audit of its IT processing procedures?
  • Does the organization have third-party penetration testing of its network and system security?
  • Does the organization rely on cloud services? Does the organization know the countries in which the cloud provider stores, transmits and processes its data?

These questions, among others, must be included in the due diligence checklist in any M&A transaction.