Don't neglect tech: Cybersecurity is key to due diligence
Today cybersecurity cannot be ignored and any due diligence efforts need to ask the question — is the new or combined organization at risk from a cyber incident? The risk is higher if you are collecting, storing, or transmitting personal, financial or health information. Similarly, the organization has confidential Intellectual Property (IP). Loss of this data can significantly impact the organization’s reputation and financial security (through fines and legal fees).
Due diligence often focuses heavily on financial and operational issues. As a result, evaluating the target’s cybersecurity sometimes does not receive the attention it deserves.
An independent assessment of your target’s network, data, and cybersecurity measures mitigates risk — and headaches. Don’t overlook these seven areas.
An independent assessment covers a broad range of areas:
What access rights do they have? Are controls in place to prevent indiscriminate downloading? Are users trained in threat detection?
Is the network hardened through proper configuration and separation from public networks? Is it tested periodically and continuously monitored?
Is system access based on roles and responsibilities? How often are permissions reviewed?
Is there oversight of vendors to ensure services are performed securely? Is data shared with vendors properly protected? Is there an appropriate vetting process for vendors?
- Incident response
Is there a plan in place for responding to cybersecurity incidents? Are the proper stakeholders involved? Is the process tested regularly?
- Emerging technology
Does the organization plan for security risks introduced by emerging technologies, including how they may impact critical connectivity points?
- Common threats
Does the organization proactively evaluate its safeguards against the most prevalent cybersecurity threats, including malware, phishing, ransomware, and end-user error?
Inventory all of the private data housed in the IT systems of the acquired company. This includes personally identifiable information (PII) such as credit card numbers or social security numbers and protected health information (PHI) of customers or employees. Much of this data will need to be expunged — preferably before the buyer assumes ownership — in order to avoid unnecessary exposures. If the information is important to the business, you’ll need to ensure the right security controls are in place to protect it.
Independent security assessment
Understanding security vulnerabilities of the target organization is essential, especially if systems are being integrated post-acquisition. The best way to gain a full understanding of the target company’s security profile is through an independent assessment. This will help determine whether the company’s systems have ever been breached, what types of information (such as intellectual property, customer data, recipes or formulas) are most vulnerable to theft, and whether the proper controls are in place.
In a world rife with cyberthreats, having a plan in place to minimize damages is no longer an option — and cybersecurity insurance is an important tool to protect organizations. Yet examining the target company’s cyber insurance is often overlooked during due diligence. Policies may need to be updated or modified; if a policy does not exist, you may need to obtain the appropriate coverage before beginning any integration activities.
Here are a few questions to ask when evaluating your target’s cybersecurity insurance policy:
- Is there a policy in place?
- When does it expire?
- In whose name is the policy? (If there's a change in the company's legal name, the name on the policy must be changed.)
- Are the coverages and levels of insurance appropriate?
- Does the policy cover the most important cyberthreats?
- Does the policy cover extortion, in the event of ransomware on the target's network, and does it include a fraud endorsement? In the case of phishing scams, criminals convince the victim to let them in; there isn't an actual system breach.
- Will any terms and conditions change when ownership changes hands?
- Does the policy cover the areas you are potentially the most vulnerable based on your cybersecurity assessment?
- Do the deductibles, upper limits, and annual aggregated limits fit your level of risk tolerance?