In a study by (ISC)2, all executives and M&A professionals surveyed agreed that cyber security audits have become standard practice in tech due diligence.
Technical due diligence is a given in almost every acquisition or investment involving technology companies. The diligence checklist can be daunting for acquirers and targets alike, but as a new study published by (ISC)2 confirms, auditing for cyber security is and should be at the top of the checklist. In fact, the (ISC)2 survey of 250 U.S.-based M&A professionals showed that 100% of the executives and M&A advisors surveyed agreed that cyber security audits have become standard practice.
To understand why companies are auditing for cyber security, we must first understand the risk. In the same study, (ISC)2 found that security breaches that come to light during the due diligence process can derail a transaction; almost half (49%) of participants said they had seen it happen. Further, 52% of respondents viewed an audit revealing weak security practices as a liability. The same number said a post-acquisition security breach in an acquired company has affected the share value of publicly traded organizations. It’s clear a cyber security breach can significantly affect shareholder value. During integration, it’s critical to expose, and plan to deal with, any potential weakness at a target company.
There are many angles to consider when auditing for cyber security in an M&A transaction. For example, consider the high-profile Equifax breach. The breach occurred when an unpatched open source vulnerability compromised the personal data of millions of people. Equifax paid the price in both brand damage and shareholder value. But as we’ve learned in the aftermath, not everyone learns from the mistakes of others. In the year following the Equifax breach, Fortune published a piece under the headline “Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax.”
Synopsys’ annual Open Source Security and Risk Analysis report is based on the anonymized data from thousands of open source audits we perform for M&A due diligence. The 2019 report found that 60% of the codebases we audited during 2018 contained at least one open source vulnerability. Further, 43% of the codebases contained vulnerabilities over 10 years old.
As we learned from Equifax, unpatched software vulnerabilities are one of the biggest cyberthreats organizations face, and unpatched open source components in software add to security risk. Certain characteristics of open source make vulnerabilities in popular components attractive to attackers. One reason is that open source, unlike commercial software, has a pull support model. Commercial software publishers can automatically push fixes, patches, and updates to users. But open source software puts the responsibility for monitoring in the hands of the company consuming the open source. Because open source is so pervasive, this is no easy task.
Open source audits are one type of audit that companies are performing in M&A due diligence, but it’s not the only one. We typically see acquirers asking questions about many aspects of the security risk of the software they’re acquiring:
At the end of the day, the goal of due diligence is to eliminate surprises after the deal closes. According to the (ISC)2 report, 57% of respondents had been surprised by an unreported data breach during the audit process. In M&A, uncovering these issues before the deal closes helps the acquirer not only put the proper deal terms in place but also plan for integration costs, priorities, and timelines post-deal.
Synopsys has an entire business with decades of experience handling security audits in high-stakes, fast-moving, and high-value M&A scenarios.