Loading...

CPA Now Blog Archive

This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

Cybersecurity: Gathering Electronic Evidence before M&A

Organizations of all types and sizes face threats to their IT infrastructure from hackers, nation-state actors, and activists. For CPAs, auditors, and attorneys, a company's cybersecurity preparedness is now a material due diligence item on the M&A closing checklist.

Oct 29, 2020, 05:25 AM

Jeff Brennerpfiester_kai_90x90Jeff Brenner, Esq., and Kai Pfiester, CEH


Organizations of all types and sizes face ever-increasing threats to their IT infrastructure from hackers, nation-state actors, and activists. The danger is so great that terms like ransomware, cyberbreach, business email compromise, and wire transfer fraud are now part of the lexicon of the corporate boardroom. The danger was spectacularly displayed in 2016 when Yahoo! and Verizon entered into negotiations and announced a $4.8 billion deal, only for Verizon to learn after the price had been set that Yahoo! had been hacked twice (in 2013 and 2014) and the data from 1.5 billion user accounts taken and sold on the dark web. The deal was later reduced by $350 million, but regulatory fines and civil settlements added millions more to the overall price tag.

Cybersecurity due diligence researcherFor CPAs, auditors, and attorneys, cybersecurity preparedness is now a material due diligence item on the M&A closing checklist. CPAs and forensic accountants are familiar with the tools used to assess the value of contracts, trace income and expenses, and spot indicators of fraud. Knowing what data to ask for, with whom to speak, and how businesses typically generate income are central to those tasks. Determining an organization’s cybersecurity health relies upon similar knowledge.

At PICPA’s Transaction Advisory Services Conference on Nov. 18, 2020, we will explore how compromise assessments, risk assessments, and cyber-focused questionnaires can provide the information dealmakers need to assess the cyberattack risk a potential target faces, or if it has already been compromised.

A compromise assessment seeks to determine if a target has already been the subject of an attack but does not know it. In a typical incident response scenario, the company will have experienced some indicators of compromise—customers emailing that they are receiving spam messages, the company website being defaced, or a server having been ransomed. In an M&A transaction, the target has little interest in looking for trouble within its IT systems. A compromise assessment elicits this information for the buyer through the production of operating system server logs, firewall logs, anti-virus alert reports, and email server logs. These logs can reveal whether a target’s IT assets have experienced unauthorized access, when it happened, and if the actors are still there.

For organizations that want to be proactive in preparing for a sale, a cybersecurity risk assessment will reveal the strengths and weaknesses of its people, processes, and technology in terms of cyber-readiness. It reviews the organization’s operational activities, its physical space, its IT perimeter (between internal and public interfaces), its internal networks, the endpoints attached to it, the applications running on them, and the data stored within them.

In situations where an organization has already experienced a cybersecurity-event, such as a ransomware attack or denial of service attack that causes its operations to cease, many of these same techniques can aid a CPA in preparing a claim for business interruption damages. IBM’s “Cost of a Data Breach Report, 2019” revealed that business interruption losses represents 36% of the cost of a cyber breach, averaging $1.42 million per breach. Determining what computers/servers need to be replaced is just one part of the claim. Continued detection and monitoring costs, backup restoration, and data reacquisition from third parties are aspects of an IT rebuilding process that should be part of business interruption damage calculations.


Jeff Brenner, Esq., is general counsel for and a partner with Black Cipher Security in Cherry Hill, N.J., and Kai Pfiester is the chief security architect and founding partner.


Don't miss PICPA's all-virtual Transaction Advisory Services Conference on Nov. 18, 2020.  


Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form




Stay informed with PICPA blogs