ISF Podcast S35 Ep3: The Silent Risk in M&A: Cyber Security Oversights That Cost Millions
Jun 17, 2025
34:04
Financial due diligence is common practice when companies merge or one business acquires another. Cyber security due diligence, however, is not quite as common. Yet, in a world where the threat landscape changes by the day and risk is growing increasingly complex, solid cyber security practices are more important than ever.
Today, Steve and Tavia dig into this very topic, and, more specifically, what role cyber security has in a merger or an acquisition. How is a cyber security review done? Why are they important? How do we balance speed with thoroughness? How do we interpret the results? There’s a lot to dig into here.
Key Takeaways:
Today, Steve and Tavia dig into this very topic, and, more specifically, what role cyber security has in a merger or an acquisition. How is a cyber security review done? Why are they important? How do we balance speed with thoroughness? How do we interpret the results? There’s a lot to dig into here.
Key Takeaways:
- Cyber due diligence is paramount in a corporate acquisition or merger.
- Risks of not doing cyber due diligence include both financial and reputational.
- Cyber due diligence is a team game.
Tune in to hear more about:
- Who should be responsible for conducting the cyber review (4:34)
- How organizations can build cyber into their due diligence process (14:05)
- Examples of where insufficient cyber due diligence proved costly (19:05)
Standout Quotes:
- “You can't play a team sport without a team. And for me, M&A is a team game. You can't go it alone. I think it would be a mistake for somebody to think that they could do this kind of work solo. Because as we've seen with cyber maturing, it now touches so many different parts of the organization. You do need to be involved.” - Steve Durbin
- “I think people are getting it. What I'm seeing now is people get it, but they don't know how to do it. That's where the cyber professional really now has to step up.” - Steve Durbin
- “Pre-deal, I think it is about being focused. It's about identifying, prioritizing the high risk areas that are out there that you want to look into. It's about doing things like making sure that the governance is there. It's about scanning for some of the known vulnerabilities. If you are in one particular market sector and you're buying a company in another because of expansion growth, you're going to need to be covering off a whole range of different things that perhaps might be unusual for you because you haven't been having to look into those areas.” - Steve Durbin
Read the transcript of this episode
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter
From the Information Security Forum, the leading authority on cyber, information security, and risk management.
Subscribe to the ISF Podcast wherever you listen to podcasts
Connect with us on LinkedIn and Twitter
From the Information Security Forum, the leading authority on cyber, information security, and risk management.