Mergers & Acquisitions: Cyber &
Information Security Due Diligence
Due to increasing regulatory,
investor and customer
requirements it is imperative
that cyber and information
security risks are identified
and managed throughout
the lifetime of merger and
acquisition transactions.
From identifying security flaws
present in the technology
you are buying through to the
cyber security posture of the
organisation as a whole, by
taking a holistic view, businesses
can ensure they proactively
understand current risks and
liabilities along with the future
levels of investment.
NCC Group has many year’s experience working in both pre or post close
transaction environments for some of the largest technology companies
in the world. This experience extends to working both directly with the
acquiring organisations as retained security due diligence experts and
indirectly working via external legal counsel to provide risk based advice
under priviledge and intellectual property taint protection.
Cyber and information security issues and concerns can vary considerably
depending on the business and industry. They can range from software
quality through to regulatory, operations and high-level governance issues.
Working with a global expert in cyber security and risk mitigation allows
your organisation to have the confidence that any transaction is done with
full insight and understanding of today’s risks and tomorrow’s liabilities and
costs.
Key things to consider include:
• Maturity of the target with regards to cyber and information security and
the risk and potential liabilities associated with the acquisition post close.
• Proactive identification of security issues that create a significant liability
for your organisation post-acquisition in terms of cost to fix, loss caused to
customers or even in terms of reputational damage to your brand.
• Understanding of privacy issues in terms of how data is collected or stored
which causes financial, reputational or regulatory liability.
• The level of resilience to cyber attack of the organisation that may be
experienced post public announcement.
• Discovery and analysis of security issues in software, systems and
architectures that could significantly delay a post-acquisition deployment
or integration and hence affect the business case behind the acquisition.
• Assessment of secure software and hardware development process
maturity and the ability to respond to reported security issues.
• Awareness of the use of third party source code which brings with it
security sustainment costs that haven’t been planned for.
Cyber & information security due diligence Carrying out cyber security due diligence as part of a
transaction will provide a detailed understanding of the
Our service identifies and analyses key areas to be aware of, information security posture of any technological intellectual
determining any security and risk gaps while providing advice property you are acquiring and the target organisation as a
on how these can be addressed or mitigated. We can carry out whole, allowing you to make better informed decisions and
a rich mixture of security discovery, assessment and analysis ultimately protecting your investment.
depending on your need to understand exposure and level of
risk tolerance.
Types of assessments include:
Technology driven acquisitions:
About NCC Group
NCC Group is a global expert in cyber security and
• Security architecture and design reviews. risk mitigation, working with businesses to protect
• Software, hardware and system threat modelling. their brand, value and reputation against the
ever-evolving threat landscape.
• Security focused source code reviews.
With our knowledge, experience and global
• End-to-end product or system security assessments. footprint, we are best placed to help businesses
• Security Development Lifecycle maturity measurement. identify, assess, mitigate & respond to the risks they
face.
• Product security claims verification.
We are passionate about making the Internet safer
All acquisitions:
and revolutionising the way in which organisations
• Cyber and information security policy and procedure reviews. think about cyber security.
• Regulatory cyber and information security liability analysis.
• Operations and infrastructure security assessments.
• Product or system security assessments.
• Personally identifiable information privacy and security
reviews.
Additionally we can help to:
• Provide cyber and information security due diligence support
throughout a transaction.
• Provide training and education for wider internal or external
M&A teams regarding cyber and information considerations.
• Provide short-term, tactical driven protective monitoring and
response services during a transaction to ensure assets are
secure pre and post announcement.
At the end of the process you will receive a full report which
outlines the risks, issues, current mitigations, analysis and
recommendations.

For more information from NCC Group, please contact:

+44 (0) 161 209 5200 response@nccgroup.trust www.nccgroup.trust

NCCGSCTSCMACIV10617