In a merger and acquisition exercise i.e a corporate (acquirer) doing an acquisition of another corporate (vendor or target) it is a norm and a requirement that the acquirer will perform a series of due diligence - by external consultants eg lawyers and auditors - on the vendor company.
The due diligence as in practice, are traditionally focused on the financial numbers and legal issues - existing and potential, if any - of the vendor.
In the established markets like the US and Europe, the due diligence in these corporate acqusitions now include assessment on the cybersecurity risk posture and the existing measures taken and implemented by the vendor.
Yahoo learnt it the hard way. Verizon acquired Yahoo. Verizon did not perform an assessment on the cybersecurity posture of Yahoo. An agreement was executed. Yahoo reported a data breach which happened prior to the sale post the agreement. As a result:-
1. Verizon slashed the purchase price which Yahoo has to agree
2. The regulators fined Yahoo for the breach and failure to report it within the stipulated time frame
3. Shareholders of Yahoo took action and sued Yahoo for the reduced price Verizon is paying as a result of the breach
Even if the due diligence involved an assessment of the cyber risks on the target company, majority of the acquirers normally assigned their internal IT departments to do the assessments. In instances like this, it is always not advisable because the IT department is not in a position nor do they have the expertise to undertake an assessment of the cyber risks posture of the target. To have their internal IT department to assess the cyber risks of the target on top of their role to assess the compatibility and suitability of the target’s IT with the acquirer’s system is, honestly, a task which is beyond the scope and ability of the IT department of most corporates.
The fact that some lawyers and other advisers termed cybersecurity as data security issues does not help. It shows a lack of understanding of the cybersecurity threat landscape or the particular risks associated with the target company. Most often they asked a whole lot of routine privacy related issues from the target even when the target doesnt collect or handle client’s data.