Threats from cyberspace require cyber risk analysis in due diligence

In times of tight budgets and a volatile world situation, it is easy to lose sight of the fact that cyber security is a permanent challenge for companies. But it shouldn’t be. Because every day that passes without cyber protection makes attackers stronger and your own protective shield more porous. We suggest that you get out of this double dilemma as quickly as possible and save time and money in the process.

It is possible. For example, by avoiding hidden costs of cyber resilience oversights in a timely manner. Those who already integrate the cyber security check directly into their due diligence procedures in M&A transactions maintain an overview. And avoid financial and personnel expenses even before they arise.

This approach works not only for large companies but also for the backbone of our economy, SMEs. For them, timely and focused cyber security can serve as a ‘tunnel’ to larger goals, especially in the context of a planned or ongoing M&A transaction.

Despite its importance, only about 10 percent of companies currently conduct a cyber security due diligence review during M&A transactions. This underscores the need for greater attention and action on this critical process in M&TA deals across all industries, especially in today’s rapidly changing landscape of cyberattacks.

Valid reasons to include cyber security checks in due diligence processes for M&A transactions: 

• Mitigate risks: Cybersecurity checks in due diligence helps to identify cyber threats and vulnerabilities in the target company
• Valuation influence: Open IT security gaps often lead to price discounts. This can be prevented.
• Comply with legal regulations such as NIS2 or the Cyber Resilience Act (CRA): Failure to comply with mandatory regulations can lead to penalties (compliance).
• Estimate the financial impact: An average cyberattack cost around $2.24 million in 2021. Good to know what risks you are taking – or avoiding.

In their article for the current Financial Year Book 2025 by Tatjana Anderer, Mirko Ross and Gerhard Steininger advise firmly embedding cybersecurity in the due diligence processes of M&A procedures. A ‘Quick Strike’ analysis optimised for cyber risks in the due diligence process can identify problems at an early stage. It highlights critical threats, prioritises and quantifies the business-critical segments. Cyber resilience can thus be taken into account and considered in the purchase process.

To read about how asvin experts proceed with a ‘quick strike’ analysis, case studies of companies that failed to incorporate risk analysis into M&As, and the sums of money lost by companies due to a failure to consider cyber threats during DD procedures in M&A processes,
read the full article by Mirko Ross and Gerhard Steininger here:

https://asvin.io/wp-content/uploads/2025/01/FYB2025_English_asvin-1.pdf