Due Diligence: Strong Security Practices Now Integral To M&A, Venture Capital Deals

If a company is looking to raise money or be sold, its balance sheet and management teams aren't the only things under the microscope.

A company's security practices and its chief information security officer (CISO) are rising in importance during the due diligence phase as high-profile data breaches increase, according to executives during a panel this week at the Intel Capital Global Summit held in Huntington Beach, Calif.

"From the perspective of acquisitions ... not only is the CISO increasing in importance inside the organization but, cross-functionally, they will inevitably be part of any due diligence team that is looking at a company for potential acquisition," said Jonathan King, vice president of cloud strategy and business development at CenturyLink Technology Solutions. "So you see a CISO raising its profile and importance both hierarchically and also cross-functionally inside of the companies."

[Related: Intel Capital Fuels 16 Startups With $62M]

Having a CISO on staff backed with sound security practices could mean the difference between a deal moving forward or not, said Andrew Serwin, a partner at law firm Morrison & Foerster, who represents companies during the due diligence process.

"I'm one of the people that ... does the diligence and reviews it, and it's beyond even saying the deal goes forward or not," Serwin said. "There are times where we'll kill the deal."

It's common now for sale documents to contain an indemnity clause on security-related issues, he said.

"The thing we do is we will put a huge hole back in [to the contract] and frankly say, if we see this problem you're paying for it after the deal closes," Serwin said. "Or even, there's just a pot of money that we'll go against and so you have to look at this as not just a sort of cost of compliance. If you get acquired by a big company, they're going to be concerned about it and they're going to want to hold someone financially accountable for it."

Security's role in deals getting done can't be underscored enough with some of the larger breaches that have occurred over the past year at retailers such as Target and Home Depot, said Jamie Dos Santos, founder, chair and CEO of Cybraics.

"Inside the organization, number one, you have to know what you're trying to protect," she said. "What are your most critical assets? And you need somebody to own that. That needs to be the responsibility across the entire organization, not just in IT or in the CISO place in the organization, but into the board, and have complete ownership of that."

When it comes to breaches, companies often tackle the technical side and fail to address what's happening outside the IT department, according to Serwin.

"Whatever size company you are, this is a governance issue," he said. "If you're big, it may be an SEC issue. If you're not as big, it may be an internal governance issue, but you've got to have the right people at the table understanding what's going on."

That point about having a security policy in place -- whether a company is large or small -- was underscored by CenturyLink's King.

"You also need to start to think, if you're a startup, what your security policies and postures are because at some point, as you either go for a round of traditional investing or you go for an exit or you go for public or scale, you're going to need to have early on security processes built in that don't come back to haunt you later on," he said.

PUBLISHED NOV. 7, 2014