How do I assess the cyber security risks of a company we want to acquire?

Part 4 in our ‘What keeps the CISO awake at night?’ series

Cyber attacks are more sophisticated, frequent, and widespread across all industries than ever before. It should therefore come as no surprise that Private Equity (PE) firms and their portfolio companies are also targets.

According to PitchBook, three British Private Equity firms were “tricked into making wire transfers worth a total £1.1 million…following a sustained attack by cybercriminals.” PE firms make attractive targets for attackers for a few reasons. Firstly, they tend to manage lots of capital and hold a large amount of sensitive information, and yet typically have small IT and cyber teams.

Portfolio companies’ cyber defences typically lag behind companies in other financial services sectors. Some of the threats faced by PE firms and their portfolio companies include:

  • Malware including ransomware, which is where a malicious attacker encrypts a victim’s files and demands a ransom to restore access to the data, or threaten to release data to the public unless the ransom is paid;
  • Email based attacks including phishing, where a malicious attacker attempts to trick a user into transferring money or giving up their credentials;
  • Supply chain attacks and breaches through third parties, where a weakness in the controls of a third party or within the supply chain, could result in a breach of an organisation’s data; and
  • Insider threat, in which a disgruntled employee may try to cause business disruption or exfiltrate sensitive data. The likelihood of such behaviour increases when personnel are worried about job security.

So what should PE firms do?

As part of the deal lifecycle or M&A process, PE firms should consider cyber security by stages:

  • Before the Deal: Buyers should perform a relatively light-touch security or threat assessment on the acquisition target company to gain an understanding of any reported breaches or information that could be reputationally-damaging. This can be done through a dark web analysis and social media analysis of the company and key personnel.
  • Cyber security due diligence during the Deal: Perform an independent cyber security assessment to understand the maturity level of the target company’s cybersecurity controls and defence posture. Consider a penetration test or red team exercise to test the company’s defences.
  • After the Deal: Deploy remediation to strengthen security controls, and perform regular assessments to continuously monitor the health of the portfolio company’s cybersecurity posture. Implement a threat detection, response and recover capability.  It is important for the Board to keep in mind some vulnerabilities can be quickly fixed, but others may require a longer-term remediation.

What should you assess as part of a cyber due diligence assessment?

To assess a target organisation’s cyber security posture, it is worth considering the following questions:

  1. Does the company have well-defined roles and responsibilities for the delivery and management of cybersecurity?
  2. Does the company have a solid understanding of the relevant regulations and legislation relating to cyber which impact it?
  3. Does the company have a cybersecurity awareness and training programme for its staff and workers? In particular, is the Board security-literate?
  4. Does the company know what and where its IT and information assets, are?
  5. How does the company ensure that only authorised people have access to its information resources?
  6. Is the company able to detect and respond to cyber threats?
  7. Is the company able to recover from a cyber incident and restore lost data?
  8. What security management is performed over third-party suppliers and vendors?

We recommend basing the assessment on a well-known industry framework or standard such as NIST. This may be an eye-opening exercise, because the findings are often stark, but using a framework enables completeness of the assessment. How you then prioritise remediation is a strategic question based on risk appetite. It’s never too late to start your cyber security journey, no matter where in the deal cycle you may be.

Check out our other articles for further insights, such as the one on the Verizon 2021 Data Breach Investigations Report.

If you’d like assistance with assessing or strengthening your cyber security, then why not get in touch on +44 203 603 4733 or email us at

If you enjoyed this blog then why not read others in our ‘What keeps the CISO awake at night?’ series:

Part 1 – The biggest security threat to my organisation is our staff – what can I do?

Part 2 – How can I stop our Data Loss Prevention project from failing?

Part 3 – The three layers to developing a security culture

Sign up for updates!*

Hey there, couldn’t help noticing you’re using Internet Explorer

That’s great and all, and we commend you for pushing through with it. Unfortunately we no longer offer support for IE; it hasn’t received a major update since 2015 and Microsoft are dropping support for it later in the year.

If you’re using Windows 10 and want to stick with a built in browser, please consider switching to Edge. Or, if you really want to enjoy the internet properly we strongly recommend downloading Google Chrome here.