As recent ransomware attacks and the cyberwar we’re currently witnessing as part of the Russia/Ukraine conflict have shown, cyber incidents are now a major risk for businesses. And this is a factor that must be considered in M&A. If you’re thinking about an acquisition, you need to be able to accurately gauge the risk exposure associated with your target. But potential acquirers often overlook cyber hazards – and miss out on valuable opportunities to enhance cyber resilience. The solution? Cyber due diligence.
Cyber Risk: A Major Deal Breaker
When we talk about due diligence, we generally think about scrutinizing the financial health and market potential of a possible investment. While these tasks are still at the heart of M&A, the ever-increasing importance of digitization means that they’re now only part of the story.
Digital tech is key to today’s companies’ competitive edge and to opening up new areas of business. With digital transformation gathering pace in all sectors, there are currently few, if any, companies that are not exposed to some kind of cyber risk.
It’s hardly surprising, then, that data and cybersecurity are the biggest cause of deal withdrawals in M&A. And as cyberattacks continue to grow in number and sophistication, it’s imperative that companies evolve their due diligence to take the associated hazards into account.
Due Diligence: It’s About More than Just Financials
These challenges have given rise to a new discipline: cyber due diligence. By adopting this approach, companies embarking on a merger or acquisition broaden their focus beyond the traditional examination of financials and property, plant, and equipment to take in the many and varied sources of digital threats.
However, many businesses that perform cybersecurity due diligence still tend to use a combination of old-school spreadsheets and lists. And the process is further impeded by the unwillingness of targets to share the necessary information before the deal is closed.
When assessing cyber risks, due diligence teams often have to resort to simple checklists comprising a series of yes/no questions, making it anything but easy to gain 360-degree visibility into a target’s cybersecurity.
Before considering more effective ways of tackling this challenge, let’s take a closer look at what effective cyber due diligence entails and at some of the things that set it apart from the list-based approach outlined above.
The A, B, C of Cyber Due Diligence
It’s important to realize that cyber due diligence isn’t so radically different from other, more traditional due diligence tasks. You can think of it, rather, as another tool that you can deploy to make informed decisions.
In addition to analyzing the target’s financial stability and health, prospective acquirers now review the risk posed by its digital technologies. This involves identifying and addressing risks throughout the corporate information and data network and uncovering loopholes in the associated security systems.
As a result, stakeholders can pinpoint key areas of vulnerability and tackle sources of risk before they are exploited by hackers. What’s more, cyber due diligence helps determine whether the target company is toeing the line in terms of the strict requirements for handling and protecting data.
Mapping out the Target’s Threat Landscape
Let’s now zoom in on some ways you can effectively address cybersecurity as part of due diligence. First up is the assessment of cyber threats. Here, dedicated intel is key. This entails high-level research to determine the target’s threat profile – for example, by identifying past cyber risks.
Understanding threats from the dark web and other Internet sources is another important task at this stage. Companies that lack the skills needed to conduct research of this kind, can call in consultancy firms with extensive hands-on experience. The resulting report on the threat landscape can be highly valuable when it comes to determining the nature and scope of subsequent due diligence efforts.
Diving Deeper into Cyber Risk
Next up, acquirers take a long hard look at their own and their target’s IT systems. Here, they draw on information about every aspect of these environments – from networks and operating systems through to databases and applications.
The aim here is not only to identify risks, but also to determine opportunities for optimization. And findings at this stage can provide a critical foundation in business negotiations further down the line.
Putting IT Systems to the Test
Finally, acquirers put the target’s IT infrastructure through rigorous penetration testing. This involves authorized simulations of attacks on computer systems to evaluate system security. Ultimately, the goal is to discover vulnerabilities across the target’s environment before hackers do.
Penetration tests give acquirers and targets alike an opportunity to review existing safeguards and see where systems fall short of security requirements. Here, too, the findings can feed into later negotiations.
Cyber Due Diligence: It’s About More than Just Tech
Naturally, cyber due diligence is primarily about technology. But to be really successful, activities of this kind must do more than just outline cyber risks and propose ways of mitigating them. They must also determine the responsibility, cost, and timeline for remediating each issue uncovered.
Do you have experience with cyber due diligence. If you do, why not share it in the comments? And if you’re interested in taking a deeper dive into this fascinating and important topic, feel free to reach out to me.