Why M&A Due Diligence Should Include Cybersecurity and Fraud Prevention

Updated on

Think of due diligence for mergers and acquisitions covers and you probably think about reviewing the books, assets, customer base and contracts of the target company. You may also think about cybersecurity and fraud prevention—and if not, now’s the time to start.

Get The Full Series in PDF

Get the entire 10-part series on Charlie Munger in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues.

Q1 2020 hedge fund letters, conferences and more

M&A activity has slowed dramatically since the onset of the global coronavirus outbreak, and organizations are likely to become more cautious about ensuring that acquisitions won’t result in liabilities. With malware attacks, data breaches, phishing attacks and CNP fraud all ongoing threats, it’s important to assess any possible acquisition’s security and fraud-control posture before closing the deal.

Risks of incomplete or absent cybersecurity due diligence

Simply put, ignoring cybersecurity and fraud due diligence can be a costly mistake. The best-known example is the case of Marriott, which acquired Starwood without knowing that Starwood’s network had been compromised two years before the sale. The result? When the breach of hundreds of millions of guests’ data was revealed, the company’s stock took a dive and the brand received worldwide bad press.

Later, the company was hit with multiple lawsuits and a GDPR fine of $120 million. Meanwhile, no one knows what the presumed hackers – Chinese military members – intend to do with the stolen information.

Acquiring a company with undetected payments fraud problems can be costly, too. For example, a merchant that has a high or upward-trending chargeback rate may end up costing a lot in higher processing fees. And a company that has a very low chargeback rate may quietly be eroding its customer base through undetected false declines that damage the brand and erase customer lifetime value.

Areas to evaluate during due diligence

Because the penalties can cost so much in terms of fines, legal settlements, brand damage and remediation, it’s wise to look carefully at the company’s cybersecurity and fraud-control practices. That includes review the target company’s cybersecurity history and current state.

How diligent have they been about software vulnerability patching, password hygiene, employee awareness and training, system segmentation, access control and email security best practices like DMARC implementation?

And wow and where is their data stored? How is it transmitted and to whom? How long is data kept and how is it disposed of? What does their compliance look like for any applicable programs like HIPAA, GDPR, CCPA and PCI-DSS?

Do they have internal fraud controls and payment fraud prevention programs?

How do they vet their vendors’ security practices, and how much access do vendors have to their systems?

Fraud Prevention Programs: A framework for cybersecurity and data-protection due diligence

Clearly, this is a lot of information to collect, evaluate and manage. One resource that can help you ensure comprehensive due diligence is the NIST Cybersecurity Framework (NIST CSF). The framework is developed by the U.S. National Institute of Standards and Technology (NIST).

NIST CSF is a voluntary program used by many businesses, government agencies and universities. (NIST also provides privacy and risk-management frameworks.) If the company you’re evaluating is already using the NIST CSF, you’ll have a straightforward, standardized way to evaluate their cybersecurity practices.

Even if your potential acquisition isn’t using the NIST CSF, your company can use it to assess their security performance in five key areas NIST refers to as core functions:

Due Diligence

Source: https://www.nist.gov/cyberframework

Identify: In this function, the goal is to identify cybersecurity risk areas, including “systems, data, assets and capabilities.” Ideally, your target company will have already identified business-specific categories to evaluate, such as compliance, business operations, asset management and risk management. If not, you can identify those areas.

Protect: This function “supports the ability to limit or contain the impact of a potential cybersecurity event.” How well does your potential acquisition handle processes like access control, employee training, data security and system maintenance?

Detect: It’s wise to assume that every organization will suffer a cybersecurity breach at some point, if they haven’t already. Within the detection function, you can assess your potential purchase in two ways. First, do they have systems in place for continuous monitoring to identify anomalies and events? Next, what have those systems already detected? Acquiring a company that’s vigilant against threats is good. Acquiring one that doesn’t already have bad actors hidden in its systems is even better.

Respond: What’s the company’s plan to respond in case of a sudden attack or the discovery of an ongoing compromise? Will they be able to contain the problem, identify its scope and notify relevant agencies and stakeholders within the required time frames?

Recover: Does the company have a recovery plan that includes regular backups, redundant systems and a communications plan?

Evaluating fraud prevention programs at target companies

Identify, protect and detect are also helpful lenses to use as you assess your potential acquisition’s fraud control practices. Every company needs processes to prevent internal fraud and phishing scams. Merchants, whether B2C or B2B, need rigorous transaction fraud prevention programs, too.

Some key transaction fraud areas to look at are:

  • Has the target company identified all of the channels through which payment fraud can happen?
  • Has it analyzed data to create its unique risk profile based on vertical, markets and customer behavior?
  • Does the company have a clear picture of its chargeback rate as well as its rate of false declines?
  • What fraud-prevention practices does the company follow for transactions?
  • Are these practices scalable?
  • Do the company’s fraud prevention practices include human intelligence for better detection and customer retention, or are they rules-based and entirely automated?
  • Does the company currently use machine learning and group analysis to quickly identify complex forms of payment fraud that can get through basic fraud screening?
  • Does the company require complex passwords on customer accounts to reduce the risk of account takeover fraud?

Answering these questions and assessing the company’s performance with the NIST CSF take time. That additional time can make a potential deal feel more precarious. However, the time you invest pre-M&A on this kind of due diligence pays off when your acquisition leads to successful growth and expansion instead of costly fines and lawsuits, bad press and unplanned damage control.


About the Author

Rafael Lourenco is Executive Vice President and Partner at ClearSale, a card-not-present fraud prevention operation that helps retailers increase sales and eliminate chargebacks before they happen. The company’s proprietary technology and in-house staff of seasoned analysts provide an end-to-end outsourced fraud detection solution for online retailers to achieve industry-high approval rates while virtually eliminating false positives. Follow on Twitter at @ClearSaleUS or visit http://clear.sale/.