Sense of Security is one of Australia’s most trusted providers of cyber resilience, information security and risk management services.

Latest announcements
© Copyright Sense of Security
Cyber Security Services

M&A Cyber security due diligence

The cyber resilience of a company and any history of data breaches is having a significant impact on determining the outcome of a merger and / or acquisition.

Data is now the prime asset of most companies and given the substantial ramifications of a data breach in the context of an M&A the risk assessment now precedes financial, tax and legal assessments.

Cyber Security in the framework of an M&A

According to the American Bar Association, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defences the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.

Equally, sellers now must ensure they have the required cyber governance systems, risk procedures and a cyber security cultural posture to maintain their value.

Data management and data governance is not just applicable in some sectors, cyber security covers the whole spectrum of business and government.

Cyber security due diligence review

Compared to other due-diligence activities such as financial due diligence and management assessment, cyber security is a relatively new topic. The overall understanding of technology and its associated risks is now becoming part of the investor community fabric.

Acquirers should not rely solely on lawyers to manage their Due Diligence process. Lawyers tend to focus on privacy-related questions of a company – possibly without the context to how the organisation conducts its business.

Most cyber security issues have their roots in technical issues that manifest themselves through vulnerabilities in networking, access controls, application security and systems store or process data. Adding in suppliers into the picture adds another dimension of potential security issues courtesy of a wider footprint with more people getting access to systems. It is imperative to assess the business in the context in which it operates and clearly articulating the implication of vulnerabilities that have been identified.  This is the realm of the specialist security advisor, not an accountant or a lawyer.

Sense of Security uses a Dynamic Risk Assessment (DRA) methodology proving to be the most realistic and accurate indicators of transaction risk. A DRA is different to traditional, workshop centric, Q&A type assessment where risks are evaluated, consequences identified, and treatments proposed. DRA’s are test centric.

This means that we can evaluate both the target’s susceptibility to compromise and their ability to detect, respond, defeat and remain operational through an attack. This is a test of Cyber Resilience and is infinitely more valuable than a spreadsheet risk register or any report that a risk management platform can produce.

What to Expect in a CSDD

It’s imperative that we understand what’s under the bonnet. We employ our specialist technical team to look at the following;

Susceptibility to hacking attacks

Susceptibility to DoS

Configuration Review

  • Many attacks occur because systems/platform have poor (vendor default) configs.
  • Cloud platform reviews, application, infra reviews

Data Leakage Review

  • Determine if there is evidence that data, personnel, accounts and creds are in the internet/dark web

In conjunction with our technical team our Cyber Security Advisory will undertake;

Cyber Health Check


  • Metrics against standards like NIST/ISO

Data Security Model

Vulnerability Management

SDLC and DevOps

  • Have they got appropriate security across what they are doing?

Supply Chain Risks

  • How are supply chain risks they managed?
  • Link to Development Security – Open Source Software, Soft comp analysis.

We provide the make-up of the Cyber Due Diligence assessment coverage and the key metrics on which a buyer should make decisions about a target viability or what’s required if you are selling.

Cyber security and privacy processes are now part of the M&A landscape.

If you are planning an M&A activity, now is the time to call Sense of Security on 1300 922 923 or make an enquiry today.