Skip to Content

Don't neglect tech: Cybersecurity is key to due diligence

April 12, 2017 Article 3 min read
Joe Oleksak
An independent assessment of your target's network, data, and cybersecurity measures mitigates risk — and headaches. Don’t overlook these seven areas.
Image of people standing in a server roomToday cybersecurity cannot be ignored and any due diligence efforts need to ask the question — is the new or combined organization at risk from a cyber incident? The risk is higher if you are collecting, storing, or transmitting personal, financial or health information. Similarly, the organization has confidential Intellectual Property (IP).  Loss of this data can significantly impact the organization’s reputation and financial security (through fines and  legal fees).

Due diligence often focuses heavily on financial and operational issues. As a result, evaluating the target’s cybersecurity sometimes does not receive the attention it deserves.

An independent assessment of your target’s network, data, and cybersecurity measures mitigates risk — and headaches. Don’t overlook these seven areas.

An independent assessment covers a broad range of areas:

  • Users
    What access rights do they have? Are controls in place to prevent indiscriminate downloading? Are users trained in threat detection?
  • Network
    Is the network hardened through proper configuration and separation from public networks? Is it tested periodically and continuously monitored?
  • Access
    Is system access based on roles and responsibilities? How often are permissions reviewed?
  • Vendors
    Is there oversight of vendors to ensure services are performed securely? Is data shared with vendors properly protected? Is there an appropriate vetting process for vendors?
  • Incident response
    Is there a plan in place for responding to cybersecurity incidents? Are the proper stakeholders involved? Is the process tested regularly?
  • Emerging technology
    Does the organization plan for security risks introduced by emerging technologies, including how they may impact critical connectivity points?
  • Common threats
    Does the organization proactively evaluate its safeguards against the most prevalent cybersecurity threats, including malware, phishing, ransomware, and end-user error?

Private information

Inventory all of the private data housed in the IT systems of the acquired company. This includes personally identifiable information (PII) such as credit card numbers or social security numbers and protected health information (PHI) of customers or employees. Much of this data will need to be expunged — preferably before the buyer assumes ownership — in order to avoid unnecessary exposures. If the information is important to the business, you’ll need to ensure the right security controls are in place to protect it.

Independent security assessment

Understanding security vulnerabilities of the target organization is essential, especially if systems are being integrated post-acquisition. The best way to gain a full understanding of the target company’s security profile is through an independent assessment. This will help determine whether the company’s systems have ever been breached, what types of information (such as intellectual property, customer data, recipes or formulas) are most vulnerable to theft, and whether the proper controls are in place.

Cybersecurity insurance

In a world rife with cyberthreats, having a plan in place to minimize damages is no longer an option — and cybersecurity insurance is an important tool to protect organizations. Yet examining the target company’s cyber insurance is often overlooked during due diligence. Policies may need to be updated or modified; if a policy does not exist, you may need to obtain the appropriate coverage before beginning any integration activities.

Here are a few questions to ask when evaluating your target’s cybersecurity insurance policy:

  • Is there a policy in place?
  • When does it expire?
  • In whose name is the policy? (If there's a change in the company's legal name, the name on the policy must be changed.)
  • Are the coverages and levels of insurance appropriate?
  • Does the policy cover the most important cyberthreats?
  • Does the policy cover extortion, in the event of ransomware on the target's network, and does it include a fraud endorsement? In the case of phishing scams, criminals convince the victim to let them in; there isn't an actual system breach.
  • Will any terms and conditions change when ownership changes hands?
  • Does the policy cover the areas you are potentially the most vulnerable based on your cybersecurity assessment?
  • Do the deductibles, upper limits, and annual aggregated limits fit your level of risk tolerance?

Related Thinking

Three silhouettes of business professionals in an office.
October 12, 2022

Preparing for the family office of the future: Frequently asked questions

Article 8 min read
Business professionals shaking hands together.
June 15, 2022

Family Office Answer Book: A complete guide for family office executives

White Paper 60 min read
Two business professionals discussing with one another.
May 24, 2022

How family office internal controls safeguard assets and mitigate risks

White Paper 3 min read