Given the current cyber environment—with companies of all types targeted by hackers, and with large, sophisticated organizations reporting major data breaches—one would expect cybersecurity assessment to be a standard component in the M&A due diligence tool kit.
Surprisingly, that’s not always the case: one recent industry study found that 78% of deal makers believe that cybersecurity is not a risk that’s currently analyzed in-depth, or even addressed properly in the due diligence process.
For buyers and sellers alike, expertise in assessing data-related risks must be applied at the front end of every transaction and throughout the deal, to gain a reliable and complete assessment of the target company’s cyber exposure and readiness. This will ensure that deal terms and deal value are equitable, and that post-closing opportunities to strengthen security can be implemented. applied.
Here are a few critical questions that buyers should ask, and that sellers should be prepared to answer, in the due diligence process:
What’s the nature and risk profile of the data? The target company should clearly articulate what IT systems, data sets and business processes are most valuable and vulnerable, and explain how the company protects and exploits them. This review is only partly about data privacy, as contractual rights and IP protection can also affect the data’s valuation.
What cybersecurity controls and crisis management plans are in place? The target company should summarize administrative, technical and physical information security controls that safeguard its most critical data sets. These include technical controls—boundary and malware defense, data encryption, intrusion detection systems, etc.—administrative measures and physical security. A documented crisis management/incident response plan should also be in place.
How cyber savvy is senior management? If the target company’s senior leadership does not demonstrate a sophisticated understanding of data security risks, that suggests the responsibility is siloed within the IT or information security functions. If the entire internal culture is not focused on data security, the company is at much higher risk.
What’s your 3rd party exposure? If vendors hold or have access to sensitive data, the target company should have a formal vendor risk management program, as well as detailed agreements and supervision disciplines that address a broad range of legal, liability and procedural issues.
What does your cyber insurance really cover? Most cyber insurance policies cover expenses related to data breach and privacy crisis management, but buyers need to closely examine policies for details, such as exclusions, deductibles, coverage periods and limitations.
Can we stress test your security protocols? A target company’s evidence in due diligence can sometimes be aspirational, rather than reflective of operational reality. A primary due diligence objective should be to probe and test, within reason, whether the target company’s representations stand up to scrutiny.
Most officers and directors understand the impact of software application and data security vulnerabilities on their organization’s proﬁtability and reputation, as well as the disruption to productivity and business processes. However, M&A practices are only now beginning to adopt the rigor and sophistication required to properly evaluate those assets and risks prior to a transaction.