No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

M&A Process Changes: Assess Digital Risk Before You Make That First Call

Acquirers ignore the obvious in cybersecurity due diligence

by Kurtis Minder
April 30, 2020
in Cybersecurity, Featured
city skyline at dusk with points of light signaling digital footprint

For many prospective acquirers, the due diligence process involves laborious, costly tech and policy audits that often extend beyond the deal close, rather than looking for the target’s digital risk and exposure. GroupSense CEO Kurtis Minder discusses this much easier (and obvious) approach.

Information and cybersecurity audits are a fundamental part of the M&A due diligence process. Given the impact of a breach on potential valuation, market acceptance, public relations and brand value, the security posture of a business being considered for an acquisition is a key element in understanding the liability, risk and value of the business.

The most famous case where a data breach dropped a stink bomb into the whole M&A process was when Verizon was in talks to acquire Yahoo! In this case, it was actually two data breaches, impacting more than 3 billion user accounts, which were disclosed during acquisition negotiations. Ultimately it caused Yahoo! to decrease its sale price by $350 million while also gaining responsibility for 50 percent of any damages resulting from subsequent litigation.

As damaging as the Yahoo! data breaches were, Verizon was fortunate to find out about them before they closed the deal so they could revise the acquisition price. This usually does not happen, often due to acquirers not prioritizing vigorous cybersecurity assessments as part of the M&A process. The norm is for data breaches and other security and compliance issues to be discovered after the fact, once the acquiring company’s personnel have the time and resources to really take a look at the acquired company’s infrastructure.

A vivid example of this “after the fact” surprise was the recent Marriott breach, during which the company learned that the systems of an acquired company, Starwood, were compromised at the time of the deal. Bloomberg Intelligence estimates that the damages caused by regulatory fines ($123 million for GDPR alone) and remediation costs will be approximately $1 billion, or 8 percent of the $13.6 billion deal, or roughly the equivalent of Starwood’s annual profits at the time of the acquisition. While this is the most recent headline-grabbing example of a good deal gone bad, it is hardly the only. According to a Forescout survey of 2,700 IT decision-makers, 65 percent reported that their companies had experienced buyer’s remorse after an acquisition due to cybersecurity issues discovered after the close.

If Only…

Cybersecurity has been an afterthought for some acquirers because of the time, cost and effort required to do a full assessment of a company’s systems, processes and risk profile. This process can involve countless person-hours, surveys, compliance checks and scans of devices and network elements. This process also typically involves a third-party consulting organization, legal teams and various disclosure documents that are sensitive to the business. This heavy-handed approach can slow down deals and cause acquirers to either bypass it all together or wait until the acquisition process is far enough along to justify the spending in time, money and resources. However, as we see the damage security issues can cause to deals, it would be best for companies to understand the severity of any issues early in the process – or even before they begin. (Some issues can be so bad that acquirers should not even waste their time and money in opening discussions.)

Additionally, for institutions that are evaluating multiple companies for acquisition and are at an early stage in the process, it is not only too cumbersome and expensive to attempt to do a traditional security assessment for each company, it is also risky: They might not want the target companies to know they are being considered for acquisition.

If only there was a way to evaluate the security and compliance postures of target companies in a way that is efficient, cost-effective and private. Well, it turns out there is: Use targeted threat intelligence to look outside the company for signs of security vulnerability and compromise.

The Digital Risk Footprint Tells All

I have long argued that cyber intelligence data reflecting a customer’s digital risk footprint is a surprisingly accurate litmus test of a company’s security program efficacy. Think of the digital risk footprint as the security program’s shadow. A company’s digital risk footprint consists of the enumeration of that organization’s leaked data, credentials, intellectual property, fraudulent domain names, fraudulent mobile applications, vulnerable internet-facing assets and other items that should generally be kept inside and within the enterprise perimeter.

While it is inevitable that, in some capacity, sensitive data is going to leave a corporate network, an effective security program will minimize that outcome and put in place proactive measures to mitigate future and potential risks prior to them becoming an issue. An example of this would be the detection and takedown of domain name registrations that are variations on the true corporate domain, often “weaponized” to perform phishing campaigns.

The benefit of measuring a potential acquisition candidate’s digital footprint via threat intelligence is that it is a very lightweight and noninvasive, sometimes undetectable, process. It is also a virtually invisible process, because the data that is being gathered already exists outside the corporate network and can be easily discovered by those who know where to look (dark web, social media, open web, underground channels, etc.) Best of all, none of this requires the permission of the companies in question, so there is no need to notify them and reveal that they are being considered for acquisition.

This method of assessing a company’s digital risk and security program is ideal for evaluating large numbers of potential acquisition targets, either before or early in the traditional due diligence process. This process can be enhanced to provide real-time monitoring of the candidate throughout the acquisition process to track changes in security health, as well as any leaks related to the transaction as it progresses.

Fast, Easy and Smart

Discovering the potential acquisition target’s exposed data and intellectual property can be a fast and easy way to determine whether or not the acquisition process should move forward. In addition, it can save enormous sums of money in due diligence costs in comparison to a security audit and can avoid the worst-case scenario of a good deal turning bad after the close of the acquisition.

If you are an acquisitive company or an investment bank, you should take a look at digital risk measurement as an early step in the M&A process. It will give you the information you need to determine the overall security health of an organization and the security liability you may need to consider as part of the transaction.


Tags: Data BreachDue DiligenceMergers and Acquisitions
Previous Post

Leadership in the Time of COVID-19

Next Post

D&B Helps Companies Identify Risk and Opportunity with New COVID-19 Impact Index

Kurtis Minder

Kurtis Minder

Kurtis Minder is a driven entrepreneur developing new technologies to make the world a better place. He is currently the CEO of GroupSense, an enterprise digital risk management company. Kurtis is also a frequent contributor to the startup community and serves as an adviser and mentor to growing companies. Kurtis has more than 20 years of experience in roles spanning operations, design and business development at companies like Mirage Networks (acquired by Trustwave), Caymas Systems (acquired by Citrix) and Fortinet (IPO). A fun claim to fame: He was instrumental in building an early custom e-commerce system for the artist Prince that enabled him to circumvent his record company and sell music directly to fans online. Kurtis can be reached online at https://www.linkedin.com/in/kurtisminder/ and at www.groupsense.io/.

Related Posts

NRF M&A Trends 2025

Global M&A Trends and Risks Report 2025

by Corporate Compliance Insights
July 11, 2025

How are dealmakers adapting to trade tensions and regulatory uncertainty? Annual report Global M&A Trends and Risks Report 2025 What's...

board of directors meeting table

Before You Say Yes to That Board Seat: A Director’s Due Diligence Checklist

by Chase Cole and Sidney Edgar
June 24, 2025

Public company directors face scrutiny from Wall Street, Congress, the SEC and beyond — comprehensive preparation is essential for business...

kroger

Post-Merger Priorities: How Boards Like Kroger’s Can Lead Through Market Uncertainty

by Conor Johnston
June 9, 2025

Failed mergers often trigger talent exodus and shareholder fury, but strategic refocusing on core competencies can turn regulatory setbacks into...

hands shaking merger concept

How Your Labor Practices Could Become an M&A Problem

by Lawrence Krug and Konstantin Ebinger
May 30, 2025

Competition enforcers confront monopsony power in increasingly concentrated labor markets

Next Post
graph concept of coronavirus impact

D&B Helps Companies Identify Risk and Opportunity with New COVID-19 Impact Index

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights