Mergers and acquisitions (M&A) require significant investments of time by the buyer before committing to the purchase. There have been numerous cases where M&A transactions have failed due to a lack of or improperly run due diligence leaving the buyer unaware of what it is buying and what obligations it is assuming. Outside of traditional due diligence, such as understanding the target’s contingent liabilities, litigation risks and intellectual property issues, and problematic contracts, cyber due diligence must be performed before the transaction should close.
When acquiring a target company, the buyer inherits the attack surface of the target company. What the target’s risks are, becomes yours. Before the company’s network is joined with the acquiring company, steps should be taken to ensure there are no threats on the target company’s network that could pivot into the buyer’s network once connected, liabilities are defined in terms of compliance with, or adherence to standards or regulations, liabilities introduced by how different the target is from the buyer’s internal processes, vulnerabilities that might exist in the product that might have a reputational, operational, financial, or legal impact on the acquiring company.
In today’s networked economy, it’s not a matter of “if” but “when” a company will be hacked. Therefore, it’s a business imperative by the acquirer to ensure that any prior cybersecurity breaches are fully understood with details on their scale and remediation efforts and both settled and potential future punitive actions.
In today’s heavily regulated industries, especially as it relates to the responsibility of companies processing, transmitting, and storing personally identifiable information and payment card information, it’s important that the acquirer fully understand the level and type of cyber security-related compliance regimes the target must be in compliance with. If the target is in contravention of any regulatory regimes, the buyer must understand what, if any exceptions exist, and if they are satisfactorily manageable.
SecReliant categorizes cyber due diligence into different categories of services addressing:
- Market risks
- Technical assets/intellectual property
- Compliance risks
SecReliant provides buy-side cyber due diligence support to answer the following questions:
- Understanding of IT risk, adherence to governmental and industry compliance requirements, and a review of all current and planned cybersecurity controls in the environment
- Highest risk assets in the environment and quantification of potential impacts to the business if risks are realized
- Quantifying future capital investment requirements to address cyber risk and controls for confidentiality, integrity, and availability of data
- Key considerations and planning for IT integration into the acquiring company of the target’s digital assets