Today cybersecurity cannot be ignored and any due diligence efforts need to ask the question — is the new or combined organization at risk from a cyber incident? The risk is higher if you are collecting, storing, or transmitting personal, financial or health information. Similarly, the organization has confidential Intellectual Property (IP). Loss of this data can significantly impact the organization’s reputation and financial security (through fines and legal fees).
An independent assessment covers a broad range of areas:
What access rights do they have? Are controls in place to prevent indiscriminate downloading? Are users trained in threat detection?
Is the network hardened through proper configuration and separation from public networks? Is it tested periodically and continuously monitored?
Is system access based on roles and responsibilities? How often are permissions reviewed?
Is there oversight of vendors to ensure services are performed securely? Is data shared with vendors properly protected? Is there an appropriate vetting process for vendors?
- Incident response
Is there a plan in place for responding to cybersecurity incidents? Are the proper stakeholders involved? Is the process tested regularly?
- Emerging technology
Does the organization plan for security risks introduced by emerging technologies, including how they may impact critical connectivity points?
- Common threats
Does the organization proactively evaluate its safeguards against the most prevalent cybersecurity threats, including malware, phishing, ransomware, and end-user error?
Independent security assessment
Cybersecurity insuranceIn a world rife with cyberthreats, having a plan in place to minimize damages is no longer an option — and cybersecurity insurance is an important tool to protect organizations. Yet examining the target company’s cyber insurance is often overlooked during due diligence. Policies may need to be updated or modified; if a policy does not exist, you may need to obtain the appropriate coverage before beginning any integration activities.
Here are a few questions to ask when evaluating your target’s cybersecurity insurance policy:
- Is there a policy in place?
- When does it expire?
- In whose name is the policy? (If there's a change in the company's legal name, the name on the policy must be changed.)
- Are the coverages and levels of insurance appropriate?
- Does the policy cover the most important cyberthreats?
- Does the policy cover extortion, in the event of ransomware on the target's network, and does it include a fraud endorsement? In the case of phishing scams, criminals convince the victim to let them in; there isn't an actual system breach.
- Will any terms and conditions change when ownership changes hands?
- Does the policy cover the areas you are potentially the most vulnerable based on your cybersecurity assessment?
- Do the deductibles, upper limits, and annual aggregated limits fit your level of risk tolerance?