Mergers and Acquisitions Cybersecurity Checklist

Free Resource

Download our free Mergers and Acquisitions Cybersecurity Checklist now.


Mergers and Acquisitions Cybersecurity Checklist

Download your free copy now

Any time a company is going to acquire another organization through purchase or merger, it’s critical to know what security risks might come with the acquisition. Without knowing, organizations open themselves up to significant financial and legal challenges.

By nature, mergers and acquisitions typically take place in a relatively secretive manner. Because of this, very few people are given information about the acquisition ahead of time. Still, organizations always take the time and effort to do their financial due diligence before any merger exists. Information security due diligence is often an afterthought but needs to be taken just as seriously given the potential business impact of security risks.

What will the technical resources look like? What type of data does the purchased company hold? What are their most significant risks?


As the company is looking for other organizations to acquire
  • Perform a risk assessment
    • Consider size of the organization, complexity, and compliance requirements
  • Understand their risk profile
    • Determine when their last comprehensive information security risk assessment was done
    • Determine who has the results of the last risk assessment
    • Determine the steps that were taken to reduce those risks
    • Recognize inherent risk
      • Search for any active breaches
      • Understand that even with your own strong security program, you inherit the risk of the new organization you acquire/merge with
  • Consider legal requirements
    • Understand if there are new laws and regulations you will have to follow
      • Based on location
      • Based on industry
      • Based on business type
      • Based on the data stored/collected


While merging the two organizations
  • Take time to learn all the ins and outs of the new organization you’re about to take control of
    • Review their incident response plan
    • Review their business continuity plan
    • Review their disaster recovery plan
    • Understand what’s in place so you can adequately take control of them
  • Begin creating or reviewing an asset inventory
    • Physical (computers, servers, etc.)
    • Logical (data, applications)
    • Software (standard packages, licensed, supported)
  • Determine what access controls they have in place
    • Understand if access is on a need-to-know basis or if it’s looser
  • Understand what the technical infrastructure looks like
    • Determine if and how you will integrate:
      • Check servers, PCs, and networks for currency and warranty
        • Create a plan for anything obsolete, out of date, and no longer supported
    • Find out what is standardized and what isn’t
      • Data flow
      • System protection with up-to-date patching, end point protection, and firewalls
      • Controls for internet-connected networks
      • Adequate firewall rules
      • Systems allowed to communicate to and from the Internet
  • Check for physical security measures
    • Determine if access into and out of their facility is controlled
    • Look for extra protections on critical areas (like server and network rooms)
    • Review current faculty safety controls


Once the transition or merge is completed
  • Review and adjust governance
    • Ensure proper information security policies are in place and are current
    • Train employees so they know, understand, and follow policies
  • Conduct ongoing evaluations
    • Establish the new baseline for information security
    • Ensure personnel follow requirements
    • Determine which departments and security practices to spend time training
    • Get a validated risk assessment annually
      • Recognize which measures are a business priority
      • Prepare to make changes based on the results and priority

    Mergers and Acquisitions Cybersecurity Checklist

    Get your free copy now!