Cybersecurity and M&A due diligence
September 2014 | PROFESSIONAL INSIGHT | MERGERS & ACQUISITIONS
Financier Worldwide Magazine
It’s clear that cyber risk needs to be a focal point for businesses as it’s critical to ensuring growth, profitability and innovation. Yet, one area of business where there seems to be a disproportionate amount of discussion about cyber risk is in M&A talks. A recent study published by international law firm Freshfields Bruckhaus Deringer found that 78 percent of global respondents “believe cyber security is not analysed in great depth or specifically quantified as part of the M&A due diligence process”. This is despite the fact that almost two-thirds (64 percent) said “a cyber incident mid-deal, or the identification of past data breaches during due diligence, could have an impact on the transaction”.
That means that dealmakers are aware of the inherent risk of cyber threats to businesses but generally are not addressing them during the due diligence process. With purchases of cyber insurance booming, and expectations that the security market will reach $67bn this year, it’s surprising to learn that such a large number of respondents are overlooking something that can have a direct effect on the transaction. After all, in our data-driven economy, when a company acquires a new entity, they are also acquiring their risks. So why would M&A teams be so lax during this component of diligence? Apparently, because it’s hard: “66% say cyber risks are ‘very difficult’ to quantify given the time pressures involved”.
What can parties do to improve their cyber diligence efforts during an M&A deal?
Configuration comes first. Before delving into network issues, verify that the organisation is following basic configuration hygiene: Does the potential acquisition have a properly configured SPF record? Do their domains have valid SSL certificates? Are they vulnerable to the Heartbleed vulnerability? These important questions can reveal basic problems that may indicate much bigger issues under the surface.
Test and assess the network. Evaluate policies, procedures and technology to determine how seriously the target company has taken data security. Know where the company holds valuable information and how they are protecting it. What protections are in place to defend against an attack? What have they done to prevent future incidents? What is lurking in their network today? What level of risk has been outsourced and what are they insured against?
Look at past performance. Is the company more or less secure than it was this time last year? What factors are impacting effectiveness and can it be improved? The addition of historical performance data, as well as information about specific threats, incident response times and configuration details can provide context for the acquiring company about the overall security health of the organisation.
Compare against peers. When looking at a potential acquisition, what can their industry and peers tell you about their general security performance? For one, it can immediately demonstrate whether they are above or below the average of similar companies when it comes to security. But perhaps even more important, looking at what common infections affect an industry or how long it takes peers to respond to security events can raise an important question: What security challenges face the potential acquisition and will there be a need to invest significant time and resources to bring them up to a reasonable level of security performance?
Don’t stop with the network in front of you. Look at third party partners, suppliers, vendors and more. Because companies are only as secure as their weakest link, M&A teams need to extend their diligence into key third party networks. In an acquisition, some relationships may be carried over and teams need to be sure that this component is not overlooked. It may take additional time and resources, but it’s worth the extra effort to make sure you aren’t buying into the next Target.
Consider insurance. Just like in the case of a fire or tornado, insurance for cyber security could help cover some of the liability in the event of a breach. The presence of a cyber insurance policy also shows that the company has done some diligence in protecting themselves from a breach. In fact, the Department of Homeland Security’s new ‘Handbook on Cyber-Risk Oversight’ lists insurance as an option related to legal liability that companies might want to consider and that could be worthwhile in order to cover the considerable costs that a data breach might entail.
Assessing cyber risk is neither fast nor easy, but as our economy becomes more reliant on data as an asset, we expect that organisations will seek out new tools to assess cyber risk and adopt stricter policies during M&A discussions.
Tom Turner is an executive vice president at BitSight Technologies. He can be contacted by email at firstname.lastname@example.org.
© Financier Worldwide