Cybersecurity due diligence in M&A and divestitures

Cybersecurity has become a top priority for company leaders, boards of directors and audit committees. Mergers, acquisitions and divestitures make the need for cybersecurity even more acute.


What EY can do for you in M&A cybersecurity

When you’re buying

M&A decision-makers must fully understand the potential risks a data breach would pose to critical business assets and functions, from intellectual property (IP) and operations to customer information and credit card data. Ignoring these cybersecurity risks in M&A can leave a buyer exposed to a range of risks, including diminished revenues, profits, market value, market share and brand reputation.

We can help you understand exactly what you’re buying and how to price any potential risks appropriately. We can help you identify vulnerabilities that could be exploited by potential hackers, quantify cyber risks as they relate to the deal and manage the mitigation or remediation of cyber risks.

When you’re divesting

The key to selling a business is maximizing value while protecting your remaining business. Our cyber transaction services can help you identify areas of likely value erosion of a divestment, prioritize and mitigate them before you engage buyers. We can identify and monitor potential vulnerabilities that could be exploited during a separation as well as maintain preparedness for data privacy and regulatory compliance.

We can also help you mitigate M&A cyber threats to your remaining business by closing potential avenues of attack that could open post separation, making sure critical assets are not inadvertently transferred and assessing the risk control governance structure.

EY’s cyber transaction services can add value across the M&A transaction life cycle — from strategy and opportunity analysis all the way through diligence, negotiations, and integration or separation.

The value of EY cyber transaction services 

We help address the M&A cyber risk to your business by:

  • Discovering hidden risks, such as technical vulnerabilities in your target company, data privacy noncompliance and signs of cyberattacks that could be happening right now
  • Valuing cyber risk for specific events, such as thefts of customer data or IP, or business and operational disruption
  • Identify and quantify valuation considerations included estimated one-time and recurring costs to remediate cyber vulnerabilities or gaps in regulatory compliance helping you demonstrate to the board and regulators that you are proactively mitigating cyber risk — while protecting deal value and strategic drivers
  • Reducing threats to the remaining company that can occur when companies separate, such as inadvertent loss of IP or exposure of critical assets

Our latest thinking


    Contact our M&A cybersecurity team to support your business
    Like what you’ve seen? Get in touch to learn more.