With everything that has taken place as a result of COVID-19, a number of businesses have been put in a position of struggle for survival. While there are business owners ready to fight the fight to stay in business, other CEOs and business executives are ready to move on to something else, and to sell their companies. Whether buyer or seller, cybersecurity due diligence for M&A is something of great value for your business.
Remember the Verizon acquisition of Yahoo in 2017? Do you remember what happened following Yahoo’s security breach disclosures? There was a USD 350 million acquisition price cut. In addition to a possible price cut due to lack of security, studies have shown buyers’ remorse following the acquisition of a business that didn’t have the proper cybersecurity posture in place and also, that M&A (Mergers and Acquisitions) deals have been put in jeopardy because cybersecurity steps weren’t part of the company’s operational foundation.
With this in mind, we have created a simple cybersecurity guide to assist you with due diligence in cybersecurity for your potential selling or buying or M&A deal.
Evaluate the following company’s cybersecurity areas pre and/or post transaction.
What does the company’s cybersecurity posture look like? From security assessments to network scanning and external as well as internal vulnerability assessment, to third-party and business associates (BAs) security assessments and agreements.
Every aspect of the business operations should entail a step in assessing, mitigating, and continuous monitoring of security measures in place for there to be a high level of cybersecurity maturity. A low cybersecurity maturity is present with a minimum of all the components required to meet general compliance and regulation requirements, while a mid-level cybersecurity maturity entails more than doing the basics, but not invested in a way to keep up with every aspect of a 360-degree cybersecurity posture.
Cybersecurity hygiene and culture
What steps are taken on a daily basis to ensure that data is guarded from accidental access of unwanted or unauthorized parties; that phishing emails are spotted and reported; and that working from the office or home/remotely is done so as securely as possible?
It is also important to know if basic security hygiene is maintained through employee training; if there is CIO and CISO fluid collaboration and communication with each other, the board, employees, HR, and the CEO; and that cooperation across the company is in the forefront with at least the minimum cybersecurity steps in place. A supportive work environment from leadership when it comes to all cybersecurity matters is what helps with doubt, insecurities, and mistakes that can take place. Transparency is key to building trust, which is what you gain from good cybersecurity culture and hygiene.
Data risk profile
There are a lot of types of businesses out there, and each type holds a type of data. As we know, data is what the cybercriminals want from all companies. However, some data is worth a lot more than other types of data. Essentially, this is why you want to profile the type of data a company holds.
While every year hospital and financial company data grows in value, things are getting a bit meshed together now that COVID-19 has forced companies to hold some of the healthcare data once only accessible to hospital providers. This is why, at this point in time, every company wants to take a close look at the data it is storing, where it is stored, what is necessary to keep and what can be deleted.
The new privacy laws in place (from CCPA to GDPR) have helped those companies who are compliant to be able and have this type of information readily available or easily organized and located, especially if you have a CDO (chief data officer).
If your company needs to meet HIPAA, NIST 800-171, or CCPA compliance, or other compliance regulations you should evaluate these areas as well.
Cybersecurity due diligence elements should be a key element in your M&A (selling or buying) transaction to ensure other areas of interest aren’t overlooked. Gaining a thorough understanding of the state of cybersecurity for the company will minimize the likelihood of unwanted surprises.
It is also always advisable to have a security expert that can dedicate their entire time to conducting the cybersecurity due diligence elements for an M&A or selling or buying transaction to ensure additional areas of interest aren’t overlooked.
The reality is that you want to do a thorough job with assessing the status of cybersecurity for the company, this will reduce the likelihood of unwanted surprises.
If you need help with your M&A cybersecurity due diligence for selling or buying a business, give us a call.
Photo Courtesy of Dusit