Your Business News

Cyber due diligence: A must regardless of environment

August 25, 2020

Authored by RSM Canada LLP

Joel A. Humphrey, CPA, CA, shared this article

How a data security plan can protect your investment


Originally published in the July/August issue of ACG’s Middle Market Growth.

What do the acquisitions of Starwood Group by Marriott and Whole Foods by Amazon have in common? Both experienced cyberattacks shortly after the acquisitions were complete and failed to uncover data breaches that occurred before purchase. These companies are not alone.

And if breaches can happen to behemoths, smaller companies with fewer protections in place are definitely at risk. According to RSM US’s 2019 NetDiligence Cyber Claims Study, of the more than 2,000 cyber insurance claims filed from 2014-2018, 96% came from small to medium-sized businesses with less than $2 billion in revenue.

While certain industries that handle sensitive personal information, including health care, financial services and retail, may see a higher incidence of data breaches, no industry is immune. If security events disrupt business operations, customers stop doing business with the organization, which leads to a significant loss of revenue.

Today, this trend is not unknown to deal-makers. Most investors have faced one or more cybersecurity incidents in their investment or portfolio companies. If the acquired company faces a security breach during the holding period, chances are the company will not command the desired multiple upon exit and will jeopardize the overall investment objectives.

Cyber due diligence will help buyers and sellers alike in understanding the critical assets from a data, infrastructure and brand reputation perspective; which threat-actors may be motivated to damage the company; the quantified and prioritized cybersecurity risk associated with critical assets; the financial loss exposure from identified risks, including the regulatory penalties if a breach occurred; and the roadmap for addressing security concerns and the price of remediation efforts.

Once you understand the value of your assets and have an idea of the threat actors, it’s important to identify the different means through which they can damage the business. Finally, you should assess what controls the business has already implemented to manage those risks.

There’s no question that cyber due diligence is paramount, but private equity firms need to make sure they are prepared to deal with threats and potential breaches on a go-forward basis as well. Immediately after closing the deal, the buyer should execute the plan developed through cyber due diligence and remediate those risks that could expose the company to significant losses. Unfortunately, cybersecurity is not a one-time investment that can then be forgotten. A trusted third party should be engaged to set up an enterprise-wide risk governance program to provide visibility into cybersecurity risk throughout the holding period.

In today’s very busy M&A environment, in which deals are closed quickly, you cannot afford to have data security issues and attacks become distractors and delay closing. While it is easy to be overwhelmed by cybersecurity issues, prudent investors can avoid major financial losses with appropriate cyber due diligence and enterprise risk governance.

Let's Talk!

Call us at 1 855 363 3526 or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Ryan  Duquette and originally appeared on 2020-08-25 RSM Canada, and is available online at

RSM Canada Alliance provides its members with access to resources of RSM Canada Operations ULC, RSM Canada LLP and certain of their affiliates (“RSM Canada”). RSM Canada Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM Canada. RSM Canada LLP is the Canadian member firm of RSM International, a global network of independent audit, tax and consulting firms. Members of RSM Canada Alliance have access to RSM International resources through RSM Canada but are not member firms of RSM International. Visit for more information regarding RSM Canada and RSM International. The RSM trademark is used under license by RSM Canada. RSM Canada Alliance products and services are proprietary to RSM Canada.

FCR a proud member of RSM Canada Alliance, a premier affiliation of independent accounting and consulting firms across North America. RSM Canada Alliance provides our firm with access to resources of RSM, the leading provider of audit, tax and consulting services focused on the middle market. RSM Canada LLP is a licensed CPA firm and the Canadian member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM Canada Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how FCR can assist you, please call us at 1 855 363 3526

Important Notice:

FCR will now redirect you to CCH Portal where your FCR Client Portal login is located.

Share This