Given the frequency of cyber incidents and their increasing cost, cybersecurity due diligence has become an even more fundamental part of any merger or acquisition process. However, asking about cybersecurity practices during a negotiation remains a last-minute conversation between deal and security teams. This lackadaisical approach of assessing a risk could have a detrimental impact on the purchasing company.
On many M&A’s today, the level or complexity of risk isn't easily identifiable, or always known. A cautionary example of this scenario was when Yahoo’s deal to be acquired by Verizon was nearly derailed when Yahoo revealed further details of the billions of user accounts that were compromised in a previously disclosed breach.
Cyber due diligence should run as a core activity within the overall M&A evaluation process, and must get assessed early on to mitigate potential threats before signing off on an acquisition. As the evaluation process goes into deeper analysis, so should cyber due diligence. To do this effectively, companies need to develop and follow a cybersecurity due diligence process that starts with understanding the company’s security posture prior to the deal, and ends with continuous monitoring and analysis post deal. Companies need a proactive, not reactive stance.
Think about cyber due diligence as a four stage process with each stage going deeper and more thorough. For each step, approach the issue with the same level of urgency and detail as the rest of the traditional M&A process.
Stage 1: In the earliest phases of the evaluation, identify the financial risk carried by the target because of cyber risk. Questions to ask:
- What are the valuable digital assets with the target company?
- What is the financial risk profile of the target company?
- Does the company have any controls in place to address these risks?
Stage 2: Next, understand the coverage and effectiveness of the overall governance policies, IT landscape, and cybersecurity stack of the target. Questions to ask:
- What is the company’s cybersecurity strategy, and what cybersecurity tools are being used?
- How compliant is the business with established cybersecurity standards?
- What are the cyber insurance policies of the target company?
- How has the target company faced and recovered from past attacks? (Note successful past attacks do not necessarily mean bad security controls in the present)
Stage 3: During due diligence, conduct an inside-out analysis based on actual signals from security tools in place to go deeper and understand the company’s true security health. Questions to ask:
- How effective are the security controls based on threat models?
- What’s the likelihood of a cyber risk scenario materializing?
- What are the top security gaps? How much budget does the company need to fix these gaps?
Stage 4: Following the official acquisition and during the integration phase, continue to conduct real-time analysis during, and post, integration. Questions to ask:
- How to create an integration roadmap to minimize the possibility of increasing the cyber risk of the new combined entity? (Note: It’s not all about technology, people and processes are just as important.)
- How do we recalibrate the cyber risk profile of the new entity?
- How do we create a roadmap of further reduction of cyber risk?
Companies can’t always handle cybersecurity due diligence post-acquisition. What if the company gets attacked just after an acquisition, or if the company acquired has been recently breached? Those situations can result in financial and reputation losses. Moreover, it can negatively impact the company's targeted returns of the acquisition. A 7-year business case might suddenly become a 10-year journey, and portfolio returns could go south.
M&A due diligence requires just as much know-how about business integration as it does about cyber risk before the negotiation phase. Organizations need to take the time to better understand the cybersecurity strategy of a potential acquisition target. They also need to determine whether the target company has the right risk-management strategy and the right cybersecurity tools. If the company integrates cybersecurity into its due diligence process, they would have performed an efficient investigation and can better determine whether the potential acquisition target makes sense.
Pankaj Goyal, senior vice president, data science and insurance, Safe Security