Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.In many cases, it is more than an exhortation \u2013 it\u2019s a mandate. Last year\u2019s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).In a survey\u00a0of, \u201c214 global deal-makers from corporates, financial institutions, investors and legal services providers,\u201d the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents \u2013 78 percent \u2013 \u201cbelieve cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.\u201dThat could be costly \u2013 very costly.If a company\u2019s value is largely based on its intellectual property or other proprietary information like customer data, and that information has been compromised through a breach, it could be in the hands of competitors, and therefore lose much of its value.Also, if either company involved in a merger or acquisition has been breached, it is much easier for attackers to penetrate both companies, which could have catastrophic effects on the value of both.And based on the activity in the sector, M&As offer a large attack surface for enterprising cyber criminals. A recent blog post\u00a0by the security company FireEye noted that, \u201cin the U.S., just during April and May there were almost 2,000 M&A events, while in Asia Pacific, M&A activity reached a record $367.7 billion during the first six months of 2015.\u201dAll of which raises the obvious question: Why isn\u2019t M&A due diligence focusing on the cyber security posture or history of companies just as much as their financials or market share, since both could be affected by a breach?According to those in the field, the problem is being addressed, although substantial weaknesses remain, and it will likely take time for the smaller players to catch up.\u201cI think it is now on people\u2019s radar, whereas before it may have been an afterthought,\u201d said Scott Koller, counsel at the law firm BakerHostetler. \u201cThe problem is that it is not taken as seriously at it should be, or there is an under-appreciation of the risk.\u201dHe said it is easy to adopt the so-called \u201ccheck-box\u201d mentality when evaluating the security posture of a company, as in: \u201cDo you have a firewall? (check). Do you have anti-virus (check)?\u201cBut security requires understanding the type and volume of data stored by the organization, the regulatory and legal landscape, and the potential threats to the organization,\u201d he said.Sean Curran, a director of West Monroe Partners\u2019 security and infrastructure consulting practice, agreed, noting that part of the problem is that for many companies, evaluating cyber risk is, \u201cstill a strange enough topic that some of them are asking how to find the right person to do it.\u201dThe key is to know what you\u2019re buying \u2013 what\u2019s the \u2018secret sauce\u2019 that makes it unique.He said the purpose of due diligence in cyber risk is not to know whether a company can be hacked. Indeed, the mantra in the security industry these days is that there are two kinds of companies: Those that know they have been hacked, and those who have been hacked but don\u2019t know it.\u201cThe key is to know what you\u2019re buying \u2013 what\u2019s the \u2018secret sauce\u2019 that makes a company unique,\u201d he said. \u201cIs it financial, reputational, legal, and what is the value of that? And what might a breach cost?\u201dAccording to Michael Del Giudice, senior manager at Crowe Horwath, it is well worth investigating whether a target company has been breached and remains unaware of it. He cited a Ponemon Institute study\u00a0that found it took retail companies an average of 197 days \u2013 more than six months \u2013 to detect a breach.If a potential acquirer relies on a questionnaire, it\u2019s possible the target may not be aware of a breach that could significantly impact valuation of the firm.\u201cIf a potential acquirer relies on a questionnaire, it\u2019s possible the target may not be aware of a breach that could significantly impact valuation of the firm,\u201d he said.That is also the message from Ron Arden, vice president and CMO at Fasoo. \u201cAn acquirer needs to understand the assets and liabilities it is acquiring, and look at lack of adequate security as a business risk, just as leases, debt and potential litigation are liabilities,\u201d he said.That level of scrutiny is \u201cvery well established\u201d at larger private equity firms like Blackstone, the Carlyle Group and TPG, with assets under management (AUM) in the $75 billion to $200 billion range, according to Eric Feldman, CIO of The Riverside Company.\u201cBut there\u2019s a huge gamut of sophistication among firms,\u201d he said, \u201cwhich means that for many smaller firms, the cyber side can be a weak point.\u201dAn acquirer needs to look at lack of adequate security as a business risk, just as leases, debt and potential litigation are liabilities.However, that is improving even at smaller firms, he said, due to pressure from both the public and private sectors.On the public side, the federal Securities and Exchange Commission (SEC) has regulatory authority over U.S.-based private equity firms with more than $150 million of AUM. \u201cThat covers most of them,\u201d he said.Over the past couple of years, the agency\u2019s Office of Compliance Inspections and Examinations has issued several "Risk Alerts"\u00a0dedicated to improving cyber security.Those alerts come with some teeth, too. Feldman noted that the SEC has begun fining firms for inadequate security.Indeed, the SEC reached a settlement\u00a0just last month with R.T. Jones Capital Equities Management that included a censure and a $75,000 fine for failing to prevent a hack that compromised the personal information of 100,000 customers.And from the private side, limited partners like major pension funds, which are big investors in private equity, \u201cwant to know what controls the management companies have in place to make sure that the firm has established broader cyber awareness programs that protect critical data,\u201d Feldman said.Ask before you buyExperts say there are a number of common questions that should be asked upon buying another company.How likely is the company to have an existing, ongoing breachHas it suffered a compromise, whether or not it resulted in the loss of data? If so, what was the impact?Would the company be able to identify a security incident if it were to happen?What might it cost the company if it was breached?Who is responsible for security?Does the company interact with sensitive data protected by regulatory or industry compliance obligations?Does the company utilize any third-party vendors that store, access or process sensitive employee, company or customer information?Does the company send PII to entities outside of its home country and\/or does it receive PII from entities outside of their home countries?Does the company outsource any critical functions?Koller agrees that scrutiny and regulation of security are important and necessary, but he added a caveat that the cyber risks of a company do not have to be a deal breaker. \u201cIt\u2019s easier to fix a company with solid financials but poor security than it is to revive a company with great security but weak financials,\u201d he said.Beyond that, companies with histories that includes data breaches \u2013 even a major one \u2013may still be worthwhile targets for M&As. \u201cAn organization that has encountered one or more breaches in the past is better prepared to handle them in the future,\u201d Koller said.Curran agreed. \u201cVery few companies that have been in the headlines (for breaches) have lost market share,\u201d he said. \u201cThere is a growing perception that an organization that has been attacked becomes a better organization. The perception is that I want to do business with them.\u201dWhile many small companies may lack the in-house expertise to perform adequate due diligence regarding security risks during an M&A, Curran and others said it should not be that difficult to find outside experts. He said his firm is one of a number that offer security consulting.He said most companies that try to do a self assessment, \u201cwill get it wrong. Just knowing you have a firewall isn\u2019t enough. And even for those that use a QSA (qualified security assessor), it may not be enough. Unfortunately, not all QSAs are created equal \u2013 some firms are more stringent than others.\u201cI have found in many cases that even organizations engaged with a QSA are not compliant because they drove the scope and the QSA did not push back,\u201d he said.Del Giudice added that while some target companies might have cyber risks that are low enough to warrant an evaluation that simply relies on a questionnaire, that is not enough for those at higher risk.\u201cCompanies performing due diligence should consider performing an in-depth onsite analysis that doesn\u2019t just identify previous incidents, but understands how the organization identifies and responds to incidents, assesses systems for unidentified breaches, and evaluates the organization\u2019s capabilities to mitigate cybersecurity risks,\u201d he said.