When You Acquire a Business, Are You Acquiring a Data Breach Liability?

By: Kim Taylor, CEO

The acquisition of a business involves many risks and uncertainties. The damage from past data breaches is potentially a huge risk. A Forbes article reports that 40% of companies acquiring a business discovered a cybersecurity problem post-acquisition. Being such a common problem, it calls for it security consulting companies to come and provide their services and eradicate the chances of such a thing happening within a business. Not only this, but to educate business owners on how to run their business safely. Checking out cybersecurity best practices will help businesses see what they need to tackle so they can achieve a high level of security.

Verizon’s acquisition of Yahoo in 2017 is a great example of why it’s important to identify potential cybersecurity risks prior to the close of a merger or acquisition. Verizon reduced its original offer by $350 million after Yahoo disclosed two massive breaches in previous years. Verison also required the part of Yahoo that wasn’t sold to assume 50% of liability from future lawsuits related to the breach. The concern wasn’t just direct costs and liability, but reputation. Verizon feared fewer customers would use Yahoo’s services because of security concerns.

Without an objective cybersecurity evaluation, the acquisition could come with compromised data, a tarnished reputation, and a need for expensive and time-consuming premeditation – all of which could drastically reduce the value of the newly acquired company. A cyber security evaluation, if done would ensure that all of the aforementioned problems are seen to. This might save the company that wishes to acquire the property from additional costs and would guarantee that their investment be the right one. And if the company that wishes to take over plans to do so with the help of commercial loans in Florida or business acquisition loans during the undertaking, then this type of evaluation might prove to be useful and make it easier to acquire said loan.

The uncertainty of cybersecurity issues

Malware is often active for a long time before being detected. SMBs, with fewer security resources than large enterprises, are particularly prone to letting malware remain undetected for long periods. For confirmed, persistent malware, a report by Infocyte found that the time between a successful attack and discovery averaged 798 days – over two years.

The discovery of malware doesn’t lead directly to knowing the extent of the damage. Where one infection is present, others may be as well. Sometimes intruders leave an easily discovered infection to lull security administrators into thinking they’ve found and solved the problem. Determining how long a threat has been in place and how much information it has compromised isn’t always easy. When a cybersecurity issue is discovered, it may well be significantly worse than it first appears.

Independent cybersercurity evaluation

It’s ideal to do as much cybersecurity diligence as possible. One aspect of this diligence is evaluating the target’s security policies and practices. Does it have a well-crafted cybersecurity policy? Does it have a cybersecurity officer? Do state-of-the-art tools protect its networks and machines? How mature is their employee security awareness training? A company that has regularly paid attention to these issues is less likely to have undetected vulnerabilities.

The target’s history of data incidents is another important consideration. The existence of incident reports isn’t necessarily a negative sign; it says that the company has detected and acknowledged those incidents. The more important question is how it identified and remediated those incidents.

For the greatest confidence you should consider using an independent third party to evaluate the company. Since many malware attacks are targeted at specific industries, it’s ideal to work with a third party that has experience in the target company’s primary market vertical.


There’s no foolproof way to ensure that every security event or incident has been contained and accounted for; cybersecurity always involves uncertainty. However, you can drastically reduce the risk and liability associated with an undetected data breach. Investing time and energy in evaluating the company’s cybersecurity posture and potential existing threats is the best way to protect your company and its investments.

Previous PostNext Post