Cyber Due Diligence in Mergers & Acquisitions

Written by: Gillian Colan-O'Leary on Jun 28, 2022

Due diligence is the investigation by one party into the business and assets of another party, typically its contracts, finances, people and customers. But to avoid, or fully account for, potential post-transaction risks, fines and costly remediation, cyber and data security need to be included in the process.

Francesco cantinelli 6xsot Tec Oj4 unsplash

When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon” — a concept drawn from economist George Akerlof’s work on information asymmetries and the “lemons” problem. Akerlof’s insight was that a buyer does not know the quality of a product being offered by a seller, so the buyer risks purchasing a lemon — think of cars.

Chirantan Chatterjee & D. Daniel Sokol, Harvard Business Review (

Cyber Health - compromised, or likely to be?

Compromised? How to find out.....

Investigate deep and dark web exposure. ALSO look at the same for suppliers, contractors, subsidiaries, and other third parties.

Vulnerable? How to find out.....

Examine systems for exploitable vulnerabilities, and bad and unusual behaviours. Also gauge employee awareness by means of social engineering exercises. This will provide a measurable insight into the real-world risks a company faces.

Nature and risk profile of data? How to find out.....

Identify information security risks and shortfalls in governance, operations and technology.

Cyber Security Management Capability - how are risks being managed / what would the reaction be?

Assess Ability to detect & respond to a cyber security incident, for e.g. business continuity plans, incident response.

Evaluate Commitment to information security through compliance with key standards, principles, regulations, for e.g., FCA, GDPR.

Review People. What is the Cyber security maturity and management?

It's important to evaluate the company based on the changes that have happened in the last twenty four months, because for some organisations those changes have been drastic.

Simon Whittaker, CEO, Vertical Structure

How we can help

Vertical Structure can provide key insights for a more judicious valuation even if there...

  • Are time constraints and a quick turnaround is needed
  • Is limited access to internal systems.

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.