M&A Cyber security due diligence(CSDD)
Data is now the prime asset of most companies and given the substantial ramifications of a data breach in the context of an M&A the risk assessment now precedes financial, tax and legal assessments.
According to the American Bar Association, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defences the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.
Equally, sellers now must ensure they have the required cyber governance systems, risk procedures and a cyber security cultural posture to maintain their value.
Data management and data governance is not just applicable in some sectors, cyber security covers the whole spectrum of business and government.
Cyber security due diligence review
Compared to other due-diligence activities such as financial due diligence and management assessment, cyber security is a relatively new topic. The overall understanding of technology and its associated risks is now becoming part of the investor community fabric.
Acquirers should not rely solely on lawyers to manage their Due Diligence process. Lawyers tend to focus on privacy-related questions of a company – possibly without the context to how the organisation conducts its business.
Most cyber security issues have their roots in technical issues that manifest themselves through vulnerabilities in networking, access controls, application security and systems store or process data. Adding in suppliers into the picture adds another dimension of potential security issues courtesy of a wider footprint with more people getting access to systems. It is imperative to assess the business in the context in which it operates and clearly articulating the implication of vulnerabilities that have been identified. This is the realm of the specialist security advisor, not an accountant or a lawyer.
Sense of Security uses a Dynamic Risk Assessment (DRA) methodology proving to be the most realistic and accurate indicators of transaction risk. A DRA is different to traditional, workshop centric, Q&A type assessment where risks are evaluated, consequences identified, and treatments proposed. DRA’s are test centric.
This means that we can evaluate both the target’s susceptibility to compromise and their ability to detect, respond, defeat and remain operational through an attack. This is a test of Cyber Resilience and is infinitely more valuable than a spreadsheet risk register or any report that a risk management platform can produce.
What to Expect in a CSDD
It’s imperative that we understand what’s under the bonnet. We employ our specialist technical team to look at the following;
- Many attacks occur because systems/platform have poor (vendor default) configs.
- Cloud platform reviews, application, infra reviews
Data Leakage Review
- Determine if there is evidence that data, personnel, accounts and creds are in the internet/dark web
In conjunction with our technical team our Cyber Security Advisory will undertake;
We provide the make-up of the Cyber Due Diligence assessment coverage and the key metrics on which a buyer should make decisions about a target viability or what’s required if you are selling.