Get started Bring yourself up to speed with our introductory content.

IT security assessment services: The M&A angle

Here’s a cybersecurity niche that channel partners may not have considered: providing IT security assessment services as part of the merger-and-acquisition due diligence process.

Strategic buyers and private equity firms scrutinize an M&A target’s financial numbers before doing a deal, but they are now exploring the acquisition candidate’s security posture as well. According to West Monroe Partners, a business and technology consulting firm based in Chicago,  executives engaged in M&A activities put considerable weight on cybersecurity as an investment criterion.

West Monroe retained Mergermarket, a company that focuses on M&A research, to interview 30 senior M&A practitioners based in North America, representing the healthcare, manufacturing and distribution, banking, and high-tech sectors. The study reveals that 80% of the respondents cited cybersecurity issues as highly important in the due diligence process, while 20% rated cybersecurity as somewhat important. In addition, 77% of those polled said the importance of IT security issues at M&A targets had increased significantly over the past 24 months.

“It has become a much bigger topic for organizations, especially as their investment portfolio has changed,” said Sean Curran, a director in West Monroe’s Security and Infrastructure practice.

Curran said cybersecurity is an especially important factor for acquirers looking to add tech-heavy companies such as software as a service (SaaS) providers to their portfolios. “What they are buying is really the product itself,” he said, adding that poor programming resulting in a security breach can sink a SaaS-based firm — even if the financial numbers look solid.

Room for improvement

Dealmakers pursuing cybersecurity due diligence aren’t universally thrilled with the process. While 40% of respondents said they have been highly satisfied with data security diligence, 57% reported being somewhat satisfied and 3% said they were somewhat dissatisfied. So there’s certainly room for improvement and an opening for channel partners offering IT security assessment services.

That opportunity, however, calls for a particular skillset, Curran suggested.

“It really comes down to, are they engaging the right people to do that analysis?” he said.

Curran noted that accounting firms have M&A practices but may not have deep IT security expertise. He pointed to the home loan industry as an analog to illustrate the mismatch.

“You don’t ask the mortgage broker to do the home inspection,” he said.

IT security assessment services: Bridging the gap

On the other hand, a security consultant may not be able to relate the security vulnerabilities it uncovers to the value of the deal. A standard security assessment, for example, may discover 1,200 vulnerabilities on a target’s servers. But such a report, Curran said, doesn’t tell a buyer that it will need to invest $1 million in products and services to fix the issue. Nor will it explain how much additional spending will be needed each year to keep the target on sound security footing.

Respondents to West Monroe’s M&A cybersecurity study cited “not enough qualified people involved” as one of the top shortcomings of the cybersecurity diligence process.

Curran’s conclusion? To help with due diligence, a consultant has to understand both IT security and the impact security flaws could have on the deal.

“They can’t just be cybersecurity professionals,” he said.