Common Objections and Rationalisations: “Our production systems are completely isolated from outside access.” “Our system is secure because it would be impossible for an outsider to understand it.” “We’re not a likely target. We’re not important or interesting enough to attract hackers.” “We’ve never had a problem. There has been no intrusion or disruption in our production network.” “It hasn’t happened yet, so it seems unlikely. I don’t think it will happen.” “We can’t justify the expense and manpower.” Being Vulnerable is not your fault. Staying vulnerable definitely is... Cyber Security is much more than a matter of IT... Passwords are like underwear: Don’t let people see it, Don't leave them lying around and Change them regularly... It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.. Technology trust is a good thing, but control is a better one... No technology that’s connected to the Internet is unhackable. Social engineering bypasses all technologies, including firewalls. Phishing is a major problem because there really is no patch for human stupidity. If you think you know-it-all about cybersecurity, this discipline was probably ill-explained to you. My message to companies that think they haven’t been attacked is: ‘You’re not looking hard enough. Never underestimate the determination of a kid who is time-rich and cash-poor. Time is what determines security. With enough time nothing is unhackable. Data is the pollution problem of the information age, and protecting privacy is the environmental challenge.

Follow On Social

Cybersecurity Due Diligence

Our Services

Understanding the Importance of Cybersecurity Due Diligence

Organisations are increasingly relying on third and fourth-party vendors and service providers to carry out day-to-day operations. As this trend grows, organisations must be sure to monitor third-party vendors and acquisition targets and perform a thorough due diligence review of all prospects in order to successfully protect against cyber threats and avoid liability for damages should sensitive information be compromised. Cyber due diligence is especially important in the case of mergers and acquisitions as it helps acquirers make better-informed decisions regarding cybersecurity and related responsibilities.

What is cybersecurity due diligence and why does it matter?

Cybersecurity due diligence is the process of identifying and remediating the cyber risks of third-party vendors. This is often used to identify risks associated with potential targets for mergers & acquisitions. When conducting due diligence, organisations should collect insights into a third-party vendors’ existing cybersecurity posture and IT security efforts. This way, the acquirer becomes aware of the cyber risks and vulnerabilities they may be inheriting from the third-party.

Cybersecurity due diligence should also reveal any issues that might be considered deal-breakers, or that call for a restructuring of the price and terms of the acquisition. An acquirer needs to not only identify, but quantify, any issues so that the organisation can remediate them, or a system can be put in place to address the vulnerabilities moving forward.

An acquirer should have a process to evaluate the current threat landscape and identify the bad actors – external and internal – that might target the parties in the transaction.

  • Threat landscape & bad actors

  • Frequency brings flexibility

  • Identify and quantify

Know the threat landscape and bad actors

Acquirers should first take a risk-based approach to cyber due diligence in deals. As noted earlier, cyber due diligence isn’t as established nor does it analyze standardized data as other types of due diligence. Since all deals aren’t the same, they don’t require the same level of diligence.

An acquirer should have a process to evaluate the current threat landscape and identify the bad actors – external and internal – that might target the parties in the transaction. This landscape can vary by industry or region, and higher risk transactions – such as acquisitions in certain countries or in sectors that have suffered recent attacks – require greater diligence.

Frequency brings flexibility

The more active a business is in deals – such as serial corporate acquirers or private equity firms – the more cyber should be woven into the typical deal life cycle. Frequent acquirers should have established relationships with cybersecurity stakeholders within their firm and have a flexible cyber deals playbook to assist with cyber at each deal stage, cyber risk level and deal type. This allows those acquirers to engage cybersecurity at key points in a deal life cycle and to more effectively manage cyber risk to targets and their existing portfolio.

Another outcome of managing cyber risk in deals is establishing a benchmark of cyber readiness, which can be applied to other businesses in their portfolio and used when assessing new investments. Some will conduct an annual security assessment of their portfolio companies, further preparing them for future deals.

The need to identify and quantify

Cyber due diligence also should reveal deal-breakers – or more likely, deal-changers – for the acquirer. Walking away altogether may be unlikely, but there may be issues that lead a buyer to reconsider the target’s value – and therefore price. An acquirer needs to be able to identify and quantify those issues and either push the target to address them before closing or renegotiate the price and possibly other terms.

The latter could be an opportunity to shift seller proceeds to remediation investment, but the acquirer needs to plan for how the issue will be addressed – and paid for – after closing and during integration. Still, the potential to shift burden to sellers may appeal to serial acquirers who are making smaller deals and are confident they can manage the risks.

Ultimately, successful cyber due diligence should yield not only a road map of critical remediation items but also the responsibility for, cost of and timeline for resolving each item.

The road to reducing threats

  • Knowing the cyber risks in deals

  • Taking action to limit cyber risks

  • Mechanisms that mitigate cyber risks

SecOp Logo