Why Cybersecurity Due Diligence is Critical to Deal Completion

It’s a common story: after months of meticulous financial, operational, and market analysis, a critical finding emerges in the final weeks before deal closure – threatening what seemed like a near-certain transaction with a three-month delay. 

Deal delays cost money – a lot of money. So, with this in mind, why is cybersecurity not always embedded in deal due diligence from the off?

Cybersecurity risk should never be a last-minute consideration 

There is a fundamental disconnect here, where cybersecurity risk appears to be a pivotal factor in business, risk, and investments, yet is often treated as a last-minute concern or is overlooked entirely. The consequences of this can be serious: closings can be delayed, unforeseen costs can arise and, in the worst cases, a deal can collapse entirely. The irony here is that cyber risk is one risk area that a well-informed private equity investment house can manage at scale, early in the investment process, with limited effort expended by PE professionals.

Embed cybersecurity components into deal prospecting

Starting at the top of the investment funnel, it’s entirely possible to embed cybersecurity components into deal prospecting. This can be the first step in transforming cybersecurity from a last minute “gotcha” topic into a lever for value creation. If done correctly, the intelligence and insights gained from applying a basic level of cybersecurity rigour can deliver an outsized strategic advantage - a highly value data point that can be used to validate claims made by potential investments and weed out those companies that could expose investors to unacceptable levels of risk.

Thomas Murray cyber due diligence 

Thomas Murray partners with PE firms to quietly embed cybersecurity throughout the investment lifecycle, without introducing extra work for deal teams. Starting at the top of the deal funnel, we can provide continuous intelligence into the effectiveness of an organisation’s cybersecurity management, using arms-length techniques like attack surface monitoring, deep & dark web monitoring and sentiment analysis. This method allows us to quantify risk and benchmark companies, identifying issues before they are exploited. Early signal detection is a powerful data point which eventually feeds into cyber due diligence, allowing the stream to deliver actionable recommendations at speed.
Without proactive cyber monitoring, cyber issues can be uncovered in the final weeks of a deal, often resulting in significant delays and costs. During a recent acquisition, Thomas Murray was brought in to conduct deep-dive cyber review moments before intended completion. Our threat analysts uncovered critical issues that had not been detected by standard diligence; the findings were severe enough for our client to delay the deal for three months while the target company addressed the findings, most of which could have been spotted earlier. 

Cybersecurity is a critical part of a deal 

The early monitoring of prospective investments is no replacement for detailed cybersecurity due diligence, but early efforts will filter out organisations that present unacceptable risk. Private equity firms not integrating cyber safeguards early are exposing themselves to delays, shocks, and added financial risk. On the other hand, firms that are proactive will safeguard value, streamline closings, and gain a competitive edge in an increasingly risk-conscious market.