SAN FRANCISCO, CA--(Marketwired - Feb 25, 2016) - Hidden security flaws in software and network infrastructure pose great risks to successful mergers and acquisitions, and yet assessing the security of target companies is commonly omitted from the M&A due diligence process. According to the team at AsTech Consulting -- independent cyber security experts specializing in software and IT infrastructure security -- unidentified vulnerabilities can heavily influence the value of an acquisition, and more investment advisors and corporations are working with AsTech to uncover hidden security issues to guide valuation and deal negotiations.

"A few years ago security audits were just for 'tech' companies but today almost every business is dependent on increasingly vulnerable, interconnected technology. Buyers no longer see this as an isolated 'IT' issue, it's become a boardroom issue," said David Fox, Managing Director, Strategic Value Advisors.

Assessing security issues and overall cyber risk is seldom considered as part of due diligence in merger and acquisition discussions, but this is changing. Negotiating parties examine revenue, assets, inventory, channels, and partnerships, but fail to recognize that a security weakness in the network infrastructure or source code may compel remediation costs that annihilate a significant percentage of the subject valuation. Security breach remediation and customer notification routinely cost companies hundreds of thousands of dollars, if not millions. For example, there are 47 states with "breach notification" laws and, according to the National Conference of State Legislatures, the average cost of a security breach customer notification alone in 2014 was $500,000.

"Hidden security issues can have a profound impact on any merger. In one recent case, the acquisition target discovered a breach during negotiations that affected their customers as well as the company itself. The acquiring company simply walked away from the table," said Greg Reber, founder and CEO of AsTech Consulting. "To meet the market's need, AsTech has launched an M&A Security Due Diligence Practice. Developed with M&A advisors, venture capital investors and security practitioners, this service focuses on getting useful information to the right players quickly, before it's too late to have an effect on negotiations."

Dr. Martin Carmichael, former CISO of TD Ameritrade and McAfee, agrees, stating: "As CISO of TD Ameritrade, I engaged AsTech to perform a security evaluation after an acquisition deal was done. They discovered critical security flaws, which required significant remediation costs. This information would have affected the valuation, and negotiations."

Guy Henshaw, board member of payroll company Evolution HCM, notes: "AsTech has helped our company assess the cyber risk of potential acquisitions on three occasions. They are adept at quickly assessing and analyzing risks: distilling results into very succinct reporting with recommendations. We will not go into a deal without the AsTech Due Diligence Cyber Risk Assessment."

Depending on 'deal-specific variables,' there is a range of scrutiny that may be applied to this type of due diligence. A software company being acquired for the software itself doesn't need an IT infrastructure assessment, but rather a software security analysis which in most cases could produce key results within a few business days. 

"The business climate is changing and chief executives and board members are being held accountable by shareholders, employees, and others for costly security breaches," Reber said. "Legal disclaimers no longer excuse liability. Smart executives are scrutinizing security in advance, rather than waiting for hidden problems to emerge that can create costly remediation. Assessing security vulnerabilities in advance strengthens your negotiating position, regardless of which side of the table you're on."

About AsTech Consulting
AsTech Consulting has been helping Fortune 1000 companies manage risk and protect vital information assets since 1997. AsTech's technical team are true Internet security experts, providing a full suite of services focused on risk management and mitigation including Vulnerability Discovery and Remediation, Secure Development Training, Secure Software Development Lifecycle Consulting and Security Architectural Design.

For more information, visit

Contact Information:


Tom Woolf
Public Relations Director
Gumas Advertising