This article is a sidebar to M&A Due Diligence: The Devil In Their Data
To understand and address the cybersecurity risks involved in an M&A transaction, consider these 6 questions.
Does the target know what it is protecting? Identifying data assets and mapping them to particular systems is a bedrock cybersecurity practice—but it’s also a complex and expensive information infrastructure investment. Organizations that have tackled this challenge are much more likely to have thought about protecting those assets. On the other hand, those with only rough, general impressions of their information resources are less likely to have designed appropriate risk-based defenses—and may not even be aware of valuable data within their own systems.
What organizational and technical measures does the target have in place to protect those assets? Take a serious look at the equipment, employees, policies and procedures that the target uses as its lines of defense to prevent and limit cyberattacks. Cybersecurity threats come in many shapes and sizes, from business insiders and financially motivated criminals to state-sponsored attackers. Each of these attackers may use different methods and tools, and companies must be prepared to prevent and defend against all of them.
What cybersecurity audits and testing are performed? Are gaps tracked and closed? What risks have been “accepted”? Due diligence should include an examination of the target’s compliance, such as cybersecurity tests and audits used to evaluate its defenses. A lack of such materials is a red flag. Unlike financial audits, it is common for these reviews to reflect the “move fast and break things” mentality of data operations.
Errors and gaps should not necessarily be seen as problems. The key issue is the organization’s response. Effective cybersecurity requires iterative cycles of designing defenses, identifying vulnerabilities and improving defenses. Organizations that lack the ability to engage in self-reflection will likely fall behind. “Risk acceptances” can also be a valuable source for evaluating issues the company has decided not to fix.
What governance structures exist to ensure the cybersecurity program is functioning well? Boards today need to have a significant paper trail of communications regarding cybersecurity. A file that shows only reports to the board—and no directions from the board—may indicate a less mature governance program.
Does the protection of information assets extend to service providers? Understanding how the target manages the cybersecurity of its service providers is key. A common blind spot is how data is protected when it sits outside of the company’s servers. Many businesses depend on external service providers for everything from cloud infrastructure to customer service. Underlying contracts will often demonstrate whether the company’s lawyers are working effectively with its technologists on protections that run the gamut from appropriate to the use of data, to a generic cybersecurity clause that needs teeth, to an issue of neglect.
What is the target’s history of responding to cybersecurity events? Companies that report no prior incidents may not be being candid or, perhaps worse, lack the ability to detect when they have been hacked. Due diligence requests should include questions about whether the target has had past breaches or cybersecurity incidents and how the company responded to such events. Incident response planning and incident documentation that reside only with the technologists and do not include lawyers, communications specialists and executives is a red flag. All executive functions must play a role in the management of cybersecurity risk, and there needs to be clear ownership and centralized direction at the target in response to a cybersecurity incident.
Due diligence investigations should also examine response capabilities, whether continuity plans exist and have been tested, and whether the target has cybersecurity insurance. Ideally, the target should conduct mock incident responses and have the key technical, legal, communications and other external resources necessary to respond to a major incident in place.