Mergers and acquisitions (M&A) enable companies to add products and services to their portfolios, giving them a way to scale their business. To gain true visibility into a company’s long-term impact on your organization’s bottom line, you need to understand all assets and liabilities, including digital ones. If you’re looking to add to your current portfolio, understanding how cybersecurity due diligence in M&A can help you appropriately evaluate the way security posture impacts your financial bottom line.
When should organizations engage in a cybersecurity risk evaluation?
Acquiring or merging companies should engage in a cybersecurity risk evaluation as soon as possible. However, research indicates that most organizations wait until the transaction execution stage before assessing cybersecurity.
According to a Q4 2019 IBM Institute for Business Value survey, of 720 executives responsible for M&A functions at acquirer organizations, more than ⅓ said they experienced a data breach attributed to M&A activity during the integration. Moreover, almost ⅕ experienced breaches post-integration. Further, only 38% of organizations engage in a comprehensive cybersecurity assessment prior to the transaction execution phase.
Waiting until the M&A is nearly complete leaves organizations unprepared for long-term financial risks. As soon as M&A news begins circulating, cybercriminals look to find backdoors into one or the other party’s networks and systems. Leveraging a security weakness at this stage gives malicious actors a short-term and long-term benefit. They can gain access before the merged or acquired entities notice security weaknesses and fix them. They can also hide in the networks and systems post-M&A since they exploited the vulnerability, giving them access to both company’s sensitive information.
The earlier companies can effectively and objectively evaluate cybersecurity risk as part of the M&A process, the better they can evaluate the total cost of assets and liabilities.
An M&A cybersecurity risk checklist
As with other assets, the two parties to the transaction need visibility into the whole liability picture.
Create a cyber aware M&A team
You need to make sure that you’re including cybersecurity professionals as part of any M&A activity. When building out your team, you should consider:
___ Including the CISO
___ Creating a formal reporting mechanism for cybersecurity risk
___ Understanding your organization's cybersecurity risk tolerance
___ Creating metrics for measuring target cybersecurity
___ Align business strategy with cybersecurity risk
Review target organization cybersecurity posture
You need to understand how the target organization views security. Understanding the maturity level is a good way to get started. This includes requesting and reviewing:
___ Publicly available data breach information, including news reports or data breach notifications
___ Cybersecurity risk assessments
___ Cybersecurity policies, processes, and procedures
___ Review of incident response policy
___ Recent audit reports
___ SOC Type I or Type II reports
Digital asset discovery
Organizations can only protect the digital assets that they know they have. Asset discovery is the process of identifying and cataloging all active and inactive users, tools, and devices that connect to a network then mapping their usage.
As part of the due diligence process, organizations should ensure that they have an up-to-date asset catalog that includes:
___ All IP addresses
___ User inventory
___ Network devices (routers, switches)
___ Physical and virtual machines
___ Cloud services providers
___ Data storage locations
___ Application stack
Engage in independent review
As part of the process, you need to ensure that the records provided are up-to-date. The further into negotiations you go, the more assurance you need.
Although you may not want to engage in a full-blown audit, you should consider:
___ Reviewing penetration test reports
___ Engaging a penetration testing firm
___ Deep web and dark web research for leaked information, like sensitive data or credentials
___ Network monitoring
Apply financial value
After gathering the information, you need to consider how it impacts the overall deal. The research only adds value to your M&A activities if you can quantify the liabilities.
Similar to how you evaluate cybersecurity risk before engaging with a third-party vendor, you need to consider potential costs arising from:
___ As-yet undiscovered data breach security vulnerabilities prior to M&A
___ Need for new detection tools
___ Need for new monitoring tools
___ Need for new investigation tools
___ Additional staffing
___ Potential security weaknesses occurring during integration
___ Cyber risk insurance premiums
SecurityScorecard: Risk monitoring for M&A
M&A activities enable your organization to scale. However, to fully realize the business value from a merger or acquisition, you need full visibility into all financial risks, including those from cybersecurity.
SecurityScorecard’s security ratings platform offers real-time risk visibility across ten categories of risk. SecurityScorecard’s Atlas platform uses Artificial Intelligence (AI) and machine learning (ML) to help organizations send and validate security questionnaires. Our secure platform makes it easy for you to send M&A security questionnaires and validate responses in real-time.