Cyber Threats May Be Directed at Your Merger or Acquisition

26 January 2017 Publication
Authors: Edward H. Block Christopher Converse Peter Vogel

Cyber criminals are focusing on M&A transactions like never before, and unless you assume the risk, “Buyer Beware!” There are several threats to information systems during the M&A process, both from internal and external factors.

As with any other business process evaluation during an M&A transaction’s due diligence process, there are several documents and procedures that should be reviewed when considering inside and outside threats. These include, but are not limited to, threats from unhappy employees who may feel that they are not getting what they deserve or from enterprising criminals who want to profit.

Security and data privacy:

  • Does the organization have a security policy that is documented and enforced?
  • Does the organization have a data privacy policy that is documented and enforced? 
  • Does the organization have an incident response policy that has been tested within the past year?

Patching and change management policy: 

  • Are systems in the target’s enterprise kept up-to-date with security patches?  
  • Are they only running vendor supported operating systems and applications?
  • Does the organization have a strong change management process, and do they enforce that process?

Security assessments:

  • Does the organization regularly (at least annually) have a third-party audit of its IT processing procedures?
  • Does the organization have third-party penetration testing of its network and system security?
  • Does the organization rely on cloud services?  Does the organization know the countries in which the cloud provider stores, transmits and processes its data?

These questions, among others, must be included in the due diligence checklist in any M&A transaction.

Gardere Wynne Sewell LLP has a long history of directing its clients through mergers and acquisitions. The expansion of the cybersecurity and privacy legal services team, in coordination with M&A efforts that Gardere is known for, provides a solid footing for developing and assessing the seller’s cybersecurity and information security policies and procedures prior to execution of any transaction.

Related Services

Insights

Do You Know What IMMEX Stands For?
16 July 2019
Dashboard Insights
Does The U.S. Need STRONGER Patents?
16 July 2019
PTAB Trial Insights
California Establishes Fund to Combat Wildfire Threats
15 July 2019
Renewable Energy Outlook
There’s No Place Like Home – But Is That a Reasonable Accommodation?
15 July 2019
Labor & Employment Law Perspectives
Review of 2020 Medicare Changes for Telehealth
11 December 2019
Member Call
2019 NDI Executive Exchange
14-15 November 2019
Chicago, IL
MAGI’s Clinical Research Conference
29 October 2019
Las Vegas, NV
Association for Corporate Counsel Annual Meeting 2019
27-30 October 2019
Phoenix, AZ