Half of M&A Cyber Audits Uncover Undisclosed Breaches That Derail Deals

Cybersecurity diligence performed prior to a merger or acquisition often uncovers weaknesses in an organization’s security stance, which can spell doom for the company being purchased and a resulted phishing attack.

It appears that a company’s lack of security can make or break an M&A deal. According to the new Cybersecurity Assessments in Mergers and Acquisitions report from (ISC)2, 100% of organizations perform some form of cyber audit of the company being bought.

But a bit more than half (57%) of organizations report finding a previously undisclosed (or potentially unknown) data breach as part of the audit. And nearly half (49%) of organizations have seen a deal be cancelled because of it.

Nearly all organizations (95%) consider cybersecurity to be a tangible asset. In fact, 82% of organizations believe the stronger a company’s cybersecurity infrastructure is, the higher the value assessed to the organization. According to the report, this includes “soft” assets such as risk management policies and security awareness training programs. In contrast, only 63% of organizations factor in IT security tools as assets.

It’s evident from the data that organizations are more focused on the overall cybersecurity stance, as well as the security policies, process, and culture establish rather than the kind and type of security solutions in place.

It’s good to see Security Awareness Training mentioned, as it has the unique potential to stop attacks where all other solutions fail; eventually a malware-laden email, attachment, or webpage is going to reach your users – it’s only Security Awareness Training that can educate the user to both spot the potential threat and reduce the risk of attack by not engaging with it.