When You Acquire a Business, Are You Acquiring a Data Breach Liability?

By: Kim Taylor, CEO

The acquisition of a business involves many risks and uncertainties. The damage from past data breaches is potentially a huge risk. A Forbes article reports that 40% of companies acquiring a business discovered a cybersecurity problem post-acquisition.

Verizon’s acquisition of Yahoo in 2017 is a great example of why it’s important to identify potential cybersecurity risks prior to the close of a merger or acquisition. Verizon reduced its original offer by $350 million after Yahoo disclosed two massive breaches in previous years. Verison also required the part of Yahoo that wasn’t sold to assume 50% of liability from future lawsuits related to the breach. The concern wasn’t just direct costs and liability, but reputation. Verizon feared fewer customers would use Yahoo’s services because of security concerns.

Without an objective cybersecurity evaluation, the acquisition could come with compromised data, a tarnished reputation, and a need for expensive and time-consuming premeditation – all of which could drastically reduce the value of the newly acquired company.

The uncertainty of cybersecurity issues

Malware is often active for a long time before being detected. SMBs, with fewer security resources than large enterprises, are particularly prone to letting malware remain undetected for long periods. For confirmed, persistent malware, a report by Infocyte found that the time between a successful attack and discovery averaged 798 days — over two years.

The discovery of malware doesn’t lead directly to knowing the extent of the damage. Where one infection is present, others may be as well. Sometimes intruders leave an easily discovered infection to lull security administrators into thinking they’ve found and solved the problem. Determining how long a threat has been in place and how much information it has compromised isn’t always easy. When a cybersecurity issue is discovered, it may well be significantly worse than it first appears.

Independent cybersercurity evaluation

It’s ideal to do as much cybersecurity diligence as possible. One aspect of this diligence is evaluating the target’s security policies and practices. Does it have a well-crafted cybersecurity policy? Does it have a cybersecurity officer? Do state-of-the-art tools protect its networks and machines? How mature is their employee security awareness training? A company that has regularly paid attention to these issues is less likely to have undetected vulnerabilities.

The target’s history of data incidents is another important consideration. The existence of incident reports isn’t necessarily a negative sign; it says that the company has detected and acknowledged those incidents. The more important question is how it identified and remediated those incidents.

For the greatest confidence you should consider using an independent third party to evaluate the company. Since many malware attacks are targeted at specific industries, it’s ideal to work with a third party that has experience in the target company’s primary market vertical.


There’s no foolproof way to ensure that every security event or incident has been contained and accounted for; cybersecurity always involves uncertainty. However, you can drastically reduce the risk and liability associated with an undetected data breach. Investing time and energy in evaluating the company’s cybersecurity posture and potential existing threats is the best way to protect your company and its investments.

Previous PostNext Post