When acquiring an organization, there are many aspects of due diligence that should be carried out—both by law and as a matter of best practice. One of the most commonly overlooked is that of cybersecurity due diligence.
Purchasing a company without a solid review of its cybersecurity program and practices is likened to purchasing a car without reviewing its service history. Why should you conduct cybersecurity due diligence on an acquisition? So you know what you are buying. All the bad practices, risk exposure, open liabilities should be discovered prior to close, not after. High risks and past breaches can be used to negotiate on purchase price. In the case of the 2017 breach of 500 million Yahoo accounts, this high-profile incident resulted in Verizon negotiating a $350 million price drop in their acquisition of Yahoo.