Case Study: Assessing Acquisition Targets


Jones Partners*, a 60 employee private equity firm based out of Pennsylvania, was looking to acquire a smaller target company within the same market. Prior to commiting, Jones* approached Kalki to conduct a 3rd party assessment of the target company’s technologies. Due to the significant regulations facing financial institutions, conducting a 3rd party assessment of the acquisition target would help in making Jones’* final go or no-go decision.

Kalki provided a full assessment of the target company’s information technology and developed benchmarks for Jones*. This information helped Jones* to accurately identify key risk indicators and provided them with a full understanding of the policies and procedures in place at the target company.



  • Inexperience with identifying and evaluating risk
  • Possibility of risk exposure through acquisition
  • No knowledge of target company’s internal information security processes
  • Inability to prepare for acquisition

Potential Impact

  • Increased risk of breach
  • Lost revenues
  • Threatened brand


Kalki performed a full assessment of the target company’s policies and procedures as well as identified the necessity of creating new roles and responsibilities for the target’s IT infrastructure.

Kalki found that filling the role of a CISO would provide the target company IT direction in line with Jones’* business objectives. Full policies and procedures needed to be implemented and processes were not clearly defined or reviewed on a periodic basis. These issues lead to inconsistency in IT and created potential areas of breach.



Kalki’s testing unveiled existing vulnerabilities in the target company:

  • Lack of strong security leadership or knowledge
  • Limited use of subcontractors or vendors
  • Little to no information security policies or procedures in place
  • No management oversight of information security procedures
  • Staff responsible for the management of information systems lacking in appropriate skills to reduce IT risk
  • No formalized data classification

The Road Ahead

Kalki found that while the target company had a few policies and procedures in place, there were far from complete and not integrated into their business practices. The company lacked executive Information Security leadership, governance structure and procedures to execute policies. These vulnerabilities could easily result in an unexpected breach for Jones* following a merger. Kalki’s report enabled Jones* to work with the target company to improve their IT position. The report detailed the controls that needed to be implemented within the target company to reduce exposure to an acceptable level for acquisition by Jones*.

Printer friendly version

Key facts


  • Industry: Financial Services
  • Regulations: Financial Services & SEC
  • Inexperience with identifying and evaluating risk
  • Limited knowledge of target company’s IT procedures and infrastructure


  • Assessment of IT infrastructure
  • Assistance in development of policies and procedures for operations
  • Develop benchmarks for future information security assessments
  • Identified key high-risk areas


  • Improved security organization in target company
  • Allowed Jones* to enter into acquisition talks with full understanding of risks



envelope_64pxDon’t miss a thing! 
Sign up to receive important security alerts about
your devices both at home and work.

Pin It on Pinterest

Share This

Share This

Share this with your friends!