Posted on Sep 25, 2019
When it comes to finance and legal issues, the due diligence process of a merger or acquisition is well outlined. During due diligence, the seller presents a potential buyer with insights into their company’s financial and legal background, so that the buyer knows exactly what sort of business they’re buying, and what risks they’re taking on.
When it comes to cyber risk, however, the due diligence process is less defined despite the fact that cyber risk can be just as big of a deterrent for buyers as financial risk.
A recent survey from Freshfields found that 90% of respondents believe security breaches devalue a deal, while 83% think breaches — particularly one that happens mid-transaction — are a deal breaker. Despite the fact that cyber risk can derail a deal, 78% of respondents to that study said that infosecurity is not a risk they’re dealing with during the due diligence step of a merger or acquisition.
That’s where cyber security ratings come in.
A security rating is a score generated by an intelligent security platform that analyzes a company’s internet-facing presence for risks. These risks can include misconfigurations that expose data to the open internet, for example, or organizations that are out of compliance with specific standards.
SecurityScorecard’s security platform, for example, monitors cyberhealth across 10 groups of risk facts with 92+ signals so you can see, at a glance, where problems are and what actions should be taken when any problems are discovered. This sort of visibility into the cyberhealth of any organization is a critical tool during mergers and acquisitions for several reasons.
Buyers need to understand the risk they’re taking on before they purchase a company. It’s much like buying a house. When you’re buying a home, you want to know if it’s been through a flood, or another natural disaster that might have weakened the home’s structure. Breaches are like that – a data breach can result in financial and reputational loss, and so, if you’re buying a company you want to know if it’s suffered a breach, and if so, what steps were taken to discover and address that breach. It’s important to understand the potential acquisition’s security posture, compliance, and ability to quickly and effectively remediate vulnerabilities. Security ratings allow potential buyers to monitor the cyberhealth of acquisition targets before a deal is made.
Security ratings not only point out risk, they also tell a prospective buyer which issues should be corrected. Buyers can use this information during the acquisition process to make requests of the seller, asking that specific cyber security standards are met, and tracking progress on that mitigation work during the deal.
When you’re applying for a loan or a mortgage, chances are you’ll check your credit rating before the bank does, because you want to know what the bank sees when they check your credit history. Security ratings help you do the same thing; if you’re selling your company, you want to know what your prospective buyers see while they’re doing their due diligence on your assets.
Surveys and questionnaires are one way of evaluating a company’s infosecurity, but they’re static resources; they only capture an organization’s cyber risk at one moment in time. An organization may be in compliance when a survey is filled out, but within a week they may fall out of compliance when they fail to install a patch in a timely fashion, or an Amazon Web Services (AWS) bucket is incorrectly configured. They’re also time consuming for both the person filling out the questionnaire and for the person who must read several such questionnaires. Automated tools that generate security ratings are constantly monitoring your online presence for risks. At any given time, they can offer you a complete, updated picture of a company’s cyber security.
No matter whether you’re buying or selling, during the merger and acquisition process, you’ll be speaking to colleagues throughout your organization. Not all of those colleagues are likely to be technical, and they may not understand the finer points of cyber security risk and compliance. During those conversations, you’ll be expected to provide them with the clearest possible picture of cyber risk. Security ratings are a tool that allow you to easily explain cyberhealth to your least technical colleagues — SecurityScorecard’s ratings use an easy-to-understand A-F scale, so you can show leadership a letter grade first, and then use our scorecards to show them exactly the risk associated with a potential acquisition.
Due diligence isn’t easy, but SecurityScorecard’s easy-to-understand security ratings can help you continuously monitor every potential acquisition in your portfolio for risk and breaches.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.