In Focus Resource Center > Insights

Merge Right - Cybersecurity Risks During Mergers and Acquisitions

When one thinks of mergers and acquisitions (M&A), common risks that come to mind might include overpayment and synergies that fail to materialize. However, if cybersecurity risks are not assessed, what seems like a dream deal can quickly transform into a nightmare scenario.

Considering that the average number of days for detecting a data breach is 207 with an additional 73 days needed for containment, an intruder hacking into a company on New Year’s Day wouldn’t be identified and eliminated until early October. That 280 days is an incredibly long time, meaning that an intruder who gained access before an M&A transaction is initiated may not come to light until long after a deal has been signed. Raising the stakes is the average price tag of a data breach at around $4 million dollars, including hard costs and loss of business.

One example of the dangers of not considering a cybersecurity evaluation during the M&A process involves Marriott’s acquisition of Starwood Hotels and Resorts Worldwide, which quickly turned into a nightmare for the hospitality giant. A serious security flaw in Starwood’s reservation system, which predated the acquisition, was not discovered until almost two years after the acquisition. It was this flaw that ultimately led to a data breach of almost 400 million customer records, including sensitive data such as passport and credit card information. Because several million records contained data related to residents of the European Union, the European Union’s General Data Protection Regulation (GDPR) and the associated penalties came into play. By the time the smoke cleared, Marriott was looking at tens of millions of dollars in fines as well as significant public relations damage and brand degradation. The bottom line: buyer beware if the importance of cybersecurity is underestimated.

And as expensive as cybersecurity incidents can be for the acquirer, it can be equally costly for the target company. For example, as Verizon was in the process of acquiring Yahoo for $4.48 billion, the deal almost fell through over two data-breach scandals that came to light during the negotiations. Knowing they would share the liability for Yahoo’s breaches, Verizon’s original offer was reduced, costing Yahoo $350 million dollars.

The best way to avoid the cybersecurity pitfalls related to M&A is to consider conducting a cybersecurity and technology assessment of the target’s technology environment during the due diligence process, so that any risks can be identified and a plan to address them can be established. Depending on the results of the assessment, it may be determined that there are significant risks, and that more aggressive evaluation and remediation procedures are required. For example, a detailed assessment of compliance efforts may be executed to ensure there are no significant gaps in the meeting of regulatory requirements. Armed with an understanding of the target’s cybersecurity and technology risks, the acquirer can then factor in the associated costs when calculating an offer.

Citrin Cooperman can evaluate a target using our proprietary risk assessment tool called the SCORE Report, which identifies and ranks any risks, explains why they are a risk from both a business and IT perspective, and provides recommended solutions and estimated resources needed to mitigate or eliminate these risks. Should any advanced technology or cybersecurity risks be uncovered, Citrin Cooperman has a deep bench of advisors to strategically and efficiently mitigate them.

With few exceptions, the cost of taking this type of proactive approach to assess and address risk is far less expensive than taking a reactive one and will help avoid any regrets related to surprises identified after the transaction has been completed.

For more information on evaluating technology or cybersecurity risks during the M&A process, contact Kevin Ricci at or Michael Camacho at

Our specialists are here to help.

Get in touch with a specialist in your industry today.

* Required

* I understand and agree to Citrin Cooperman’s Privacy Notice, which governs how Citrin Cooperman collects, uses, and shares my personal information. This includes my right to unsubscribe from marketing emails and further manage my Privacy Choices at any time. If you are a California Resident, please refer to our California Notice at Collection. If you have questions regarding our use of your personal data/information, please send an e-mail to