The need for open source audits in cybersecurity M&As

In today’s world cybersecurity is about more than just antivirus software and endpoint security software. Technical due diligence is a given in almost every acquisition or investment involving technology companies. While a tech diligence checklist can be daunting for acquirers and targets alike, a new study published by (ISC)2 confirms that auditing for cybersecurity is—and should be—at the top of the checklist. 

In fact, the (ISC)2 survey of 250 US-based M&A professionals showed that 100 percent of the executives and M&A advisors surveyed agreed that cybersecurity audits have become standard practice.

To understand why companies are auditing for cybersecurity, we must first understand the risk. In the same study, (ISC)2 found that security breaches that come to light during the due diligence process can derail a transaction; in fact, almost half (49 percent) of participants said they had seen it happen. 

Unsurprisingly, 52 percent of respondents viewed an audit revealing weak security practices as a liability. The same number said a post-acquisition security breach in an acquired company has affected the share value of a publicly traded organization. It’s clear a cybersecurity breach can significantly affect shareholder value. During M&A integration, it’s critical to expose and deal with any potential weakness at a target company.

Measuring risk

Cyberrisk is measured by comparing a company’s operational processes against some form of standard and reporting the results. How that evaluation is accomplished varies, including the standard chosen, the manpower consumed, and the credibility of the resulting report which rests upon the consulting firm’s reputation for its cybersecurity expertise. 

Assessing cybermaturity against a widely recognized standard is the best option for tech due diligence. The Cyber Security Framework (CSF)