As little as four years ago, only about a third of companies considered cybersecurity when planning a merger. Today, that percentage has flipped.
"When you look at mergers where one big company buys another big company, I'd estimate that the cybersecurity teams do get involved about 60 percent of the time prior to the acquisition being executed," said John Pescatore, director of emerging trends at SANS Institute.
A number of high-profile breaches have alerted corporate executives to the potential risks of data breaches.
Last year, for example, attackers hit Pacnet, an Asian telecom provider, two weeks before Telstra bought it for nearly $700 million -- but Telstra didn't learn about the breach until the deal was closed.
In 2014, TripAdvisor learned shortly after its $200 million acquisition of travel site Viator that attackers had stolen information on 1.4 million customers. It found out about the problem not as a result of its own investigations, but when its payment card service started noting unauthorized charges on customer credit cards.
"It's absolutely a risk that people are talking about," said Stephen Boyer, CTO and co-founder at security vendor BitSight Technologies
In fact, unless a breach involved personally identifiable information, a company may not have had to report it at all.
It "would be nuts" to rely just on public reports, Pescatore said.
"They send audit teams in for finance, and they should send audit teams in for security as well," he said.
One common mistake with a merger is to handle the cybersecurity via a checklist, said JB Rambaud, managing director at law firm Stroz Friedberg, LLC.
"People are starting to realize that a checklist process is not working," he said. "If I ask you, is this encrypted, is this segmented, you may answer that yes it is encrypted, yes it is segmented -- but the segmentation has seven different layers. It's very difficult to simplify the process and create the form and get it right."
The due diligence team needs to have the expertise to be able to delve into the small details, he added. "This is too material to be skipped over."
Address risks early
If the pre-merger investigation uncovers significant risks, they should be addressed right away.
"If you have identified risks during the due diligence, you need to mitigate that, so when you connect your networks that risk is gone," said David Barton, CISO at security vendor Forcepoint. Forcepoint is the product of a recent merger between Raytheon and Websense.
Otherwise, by connecting two corporate networks, the entire combined company is now vulnerable to that new risk. In addition, the merger itself may create new opportunities for attackers.
Sign up for CIO Asia eNewsletters.