Over the past couple of years, the agency’s Office of Compliance Inspections and Examinations has issued several "Risk Alerts" dedicated to improving cyber security.
Those alerts come with some teeth, too. Feldman noted that the SEC has begun fining firms for inadequate security.
Indeed, the SEC reached a settlement just last month with R.T. Jones Capital Equities Management that included a censure and a $75,000 fine for failing to prevent a hack that compromised the personal information of 100,000 customers.
And from the private side, limited partners like major pension funds, which are big investors in private equity, “want to know what controls the management companies have in place to make sure that the firm has established broader cyber awareness programs that protect critical data,” Feldman said.
Koller agrees that scrutiny and regulation of security are important and necessary, but he added a caveat that the cyber risks of a company do not have to be a deal breaker. "It's easier to fix a company with solid financials but poor security than it is to revive a company with great security but weak financials," he said.
Beyond that, companies with histories that includes data breaches - even a major one -may still be worthwhile targets for M&As. "An organization that has encountered one or more breaches in the past is better prepared to handle them in the future," Koller said.
Curran agreed. "Very few companies that have been in the headlines (for breaches) have lost market share," he said. "There is a growing perception that an organization that has been attacked becomes a better organization. The perception is that I want to do business with them."
While many small companies may lack the in-house expertise to perform adequate due diligence regarding security risks during an M&A, Curran and others said it should not be that difficult to find outside experts. He said his firm is one of a number that offer security consulting.
He said most companies that try to do a self assessment, "will get it wrong. Just knowing you have a firewall isn't enough. And even for those that use a QSA (qualified security assessor), it may not be enough. Unfortunately, not all QSAs are created equal - some firms are more stringent than others.
"I have found in many cases that even organizations engaged with a QSA are not compliant because they drove the scope and the QSA did not push back," he said.
Del Giudice added that while some target companies might have cyber risks that are low enough to warrant an evaluation that simply relies on a questionnaire, that is not enough for those at higher risk.
Sign up for CIO Asia eNewsletters.