Due diligence is very much like a home inspection when you’re buying a house. When you’re buying a house, you want to understand all the possible concerns about your new home. In today’s housing market, most sellers are also getting a home inspection before putting the house on the market. These two activities are direct parallels to Buy-side and Sell-side due diligence. However, unlike home inspections that try to identify all possible concerns with the house, some due diligence efforts only look at a few things, like the finances or taxes. This would be akin to buying a home and only inspecting the roof.

What cyber due diligence attempts to do is to understand another aspect of the target company. Every organization has cybersecurity risks. Understanding the depth and breadth of the cybersecurity risks is just as critical as understanding financial or tax risks.

Here are three questions a PEG needs to consider when evaluating an acquisition:

1. Why are you buying this company?

For private equity buyers, it’s important to understand your purchasing goals. Having a clear understanding of why you are buying the target entity enables you to determine what you are going to do next.

Are you buying the target primarily for the technology, infrastructure and services this company provides, or for its market share and intellectual property? Are you going to firewall the organization off and let it run separately for a period of time, or is it a complete gut and replace job?

This information gives you a better idea of the level of effort it will take to get the target acclimated and integrated into your organization. The target should know who is accessing its information and what activities are taking place. Be sure you understand what data-loss controls are in place and whether the organization has sensitive, proprietary information properly secured.

2. What are you planning to do with the company?

The target may have some problems you can easily fix by integrating it into your company’s policy, procedure and technology stack, but you first need to be aware of those problems and their extent, along with having a realistic analysis of what it will take to remedy them.

Cybersecurity due diligence will help you determine where the pain points are located and what to consider as an acquiring entity. With this information in hand, you will have a comfort level in your planning in terms of where you can immediately get the target integrated, and what a short-term, near-term and long-term road map would look like to get them on board.

The target’s existing technologies may not be a concern if you are planning to integrate the acquisition into your company’s technologies, policies and procedures. However, you still need to consider whether the target can be integrated into your company with relative ease or whether it will require an extensive effort.

3. Has this company ever experienced a breach?

Most organizations, at one time or another, have had some cybersecurity issues that might have been a breach. Be sure to dig deeper to find out what is really going on. There may be liability from a data breach that hasn’t been made public, or the target acquisition may not be aware it has been compromised.

Either way, be prepared to absorb any existing liability, which can be costly. What looked like a good deal can quickly become less attractive when potential liability from a data breach surfaces.

The real question is not whether the target has had a breach, but what processes it has in place for prevention and remediation. ReadInformation Security Due Diligence in a Potential Acquisition” to find out what steps to take.

If you are looking to acquire a company, make sure you know about any potential risks while drafting your letter of intent. A quick, high-level assessment that doesn’t get “under the hood” of the organization to fully understand the risks could cost you. Consulting a cybersecurity expert now will save you time – and money – in the long run.

Matt Sadler is a Senior Manager in LBMC’s Information Security division. He can be reached at matt.sadler@lbmc.com.