News / October 2022

CLTC Paper: Moving Left and Right: Cybersecurity Processes and Outcomes in M&A Due Diligence

A new study from the the Center for Long-Term Cybersecurity presents a model framework to help organizations improve their consideration of cybersecurity risk as part of a merger or acquisition (M&A). Developed through interviews with academics and practitioners who are experts in M&A, the report, Moving Left and Right: Cybersecurity Processes and Outcomes in M&A Due Diligence, integrates insights and best practices to improve on due diligence for security risk.

Download the Report (PDF)

“When one company acquires or merges with another, they often do not have a clear understanding of the cybersecurity vulnerabilities they may be bringing in, or how to incorporate those risks into the valuation,” says Andrew Reddie, Co-Faculty Director of CLTC, who co-authored the report with Prakash Krishnan, a graduate student in the UC Berkeley School of Information’s Master of Information and Data Science (MIDS) program. “Misunderstanding cybersecurity risk can lead to potential legal, financial, and reputational exposure. Our model framework aims to help firms improve cybersecurity risk management and oversight before, during, and after a merger or acquisition.”

The Cybersecurity M&A Model Framework is designed to support executives, cyber auditors, investing teams, and boards as they consider cybersecurity risk during the M&A process. The framework addresses three primary factors: 1) key business considerations that are germane to each phase in the deal cycle; 2) the cyber risk questions that should be the focus of investing teams, executives, and cyber auditors at each stage; and 3) desired outcomes, the conclusions that investing teams, executives, and cyber auditors should be able to draw.

“Understanding cybersecurity risk has become an essential component of the mergers and acquisitions process, but surprisingly little attention has been given to this key part of the process,” says Jason Button, Director of the Security and Trust Mergers and Acquisitions team at Cisco, which provided CLTC with a grant to support this independent academic research. “We expect this new approach will be useful for our own future mergers and acquisitions, and for those of other firms in the US and beyond.”

As detailed in the report, cybersecurity risk considerations in M&A tend to vary widely based on factors such as the industry, maturity of the board, quality of executive leadership, or the size of the company. The model framework takes into account the heterogeneity of M&A contexts, and also considers the roles that key actors, such as executives, boards, and cybersecurity professionals, are likely to play at different stages of the process.

The model framework is not a checklist, but rather aims to help firms tailor their approach to the cybersecurity audit process based on deal type, industry, and firm size. It establishes where existing policies and procedures, along with historical patterns of attack, suggest that a target company’s assets and vulnerabilities need to be protected. And it provides information that allows cyber audit functions to evaluate whether the target firm is following industry standards, whether voluntary or otherwise.

This project is the latest component of the UC Berkeley Center for Long-Term Cybersecurity’s research on board governance for cybersecurity. This initial report sets the stage for future work in this area. “From this study, it became clear the degree to which insights were idiosyncratic and tied to years of experience in the space — with many of the cases that underpinned proposed solutions necessarily anecdotal,” the researchers wrote in their conclusion. “Indeed, a large-scale, systematic treatment of cyber risk and outcomes in the context of M&As is sorely needed.”

Additional Resources