Channel Marker

Sep 15 2016   1:06PM GMT

IT security assessment services: The M&A angle

John Moore John Moore Profile: John Moore

Mergers & Acquisitions

Here’s a cybersecurity niche that channel partners may not have considered: providing IT security assessment services as part of the merger-and-acquisition due diligence process.

Strategic buyers and private equity firms scrutinize an M&A target’s financial numbers before doing a deal, but they are now exploring the acquisition candidate’s security posture as well. According to West Monroe Partners, a business and technology consulting firm based in Chicago, ¬†executives engaged in M&A activities put considerable weight on cybersecurity as an investment criterion.

West Monroe retained Mergermarket, a company that focuses on M&A research, to interview 30 senior M&A practitioners based in North America, representing the healthcare, manufacturing and distribution, banking, and high-tech sectors. The study reveals that 80% of the respondents cited cybersecurity issues as highly important in the due diligence process, while 20% rated cybersecurity as somewhat important. In addition, 77% of those polled said the importance of IT security issues at M&A targets had increased significantly over the past 24 months.

“It has become a much bigger topic for organizations, especially as their investment portfolio has changed,” said Sean Curran, a director in West Monroe’s Security and Infrastructure practice.

Curran said cybersecurity is an especially important factor for acquirers looking to add tech-heavy companies such as software as a service (SaaS) providers to their portfolios. “What they are buying is really the product itself,” he said, adding that poor programming resulting in a security breach can sink a SaaS-based firm — even if the financial numbers look solid.

Room for improvement

Dealmakers pursuing cybersecurity due diligence aren’t universally thrilled with the process. While 40% of respondents said they have been highly satisfied with data security diligence, 57% reported being somewhat satisfied and 3% said they were somewhat dissatisfied. So there’s certainly room for improvement and an opening for channel partners offering IT security assessment services.

That opportunity, however, calls for a particular skillset, Curran suggested.

“It really comes down to, are they engaging the right people to do that analysis?” he said.

Curran noted that accounting firms have M&A practices but may not have deep IT security expertise. He pointed to the home loan industry as an analog to illustrate the mismatch.

“You don’t ask the mortgage broker to do the home inspection,” he said.

IT security assessment services: Bridging the gap

On the other hand, a security consultant may not be able to relate the security vulnerabilities it uncovers to the value of the deal. A standard security assessment, for example, may discover 1,200 vulnerabilities on a target’s servers. But such a report, Curran said, doesn’t tell a buyer that it will need to invest $1 million in products and services to fix the issue. Nor will it explain how much additional spending will be needed each year to keep the target on sound security footing.

Respondents to West Monroe’s M&A cybersecurity study cited “not enough qualified people involved” as one of the top shortcomings of the cybersecurity diligence process.

Curran’s conclusion? To help with due diligence, a consultant has to understand both IT security and the impact security flaws could have on the deal.

“They can’t just be cybersecurity professionals,” he said.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: