Giving Cybersecurity Due Diligence during Mergers and Acquisitions

Data is always at risk for cyber attacks, and that risk will only grow as we are now into 2016. But the mergers and acquisitions process only heightens that risk as the acquiring companies inherit new risks—and M&A activity is at an all-time high, according to the Wall Street Journal.

Unfortunately, cybersecurity and incident response capability have not always been a key factor for companies contemplating a merger or acquisition. As Mike McCormack notes in a SecureState blog post, “When it came to IT, we usually only focused on what systems they were using and how hard it would be to integrate those into our company. To be honest, there was never much thought given to information security, or to the vulnerability of the target company to hackers or other technology risks.”

How to Choose the Right Data Breach Vendor and Ensure Positive Outcomes

That has to change, according to McCormack, “With the number and extent of data breaches rising, it is clearly time that M&A teams place emphasis on determining the security posture of a target company as part of the due diligence process.” The risk needs to be balanced against the company’s controls for detection and response to both technical and regulatory impact from cybersecurity incidents.

This sentiment is echoed by 83 percent of respondents in a 2014 survey by law firm Freshfields Bruckhaus Deringer who believed that “a deal could be abandoned if cyber security breaches are identified during deal due diligence or mid-transaction.”

Seventy-eight of respondents in the same survey, however, said that the risk of cybersecurity is not analyzed in-depth or addressed in the deal’s due diligence. “It is odd that most respondents to the survey said they were concerned about cyber security risks but that most respondents aren’t actually doing anything about them during an M&A process,” says Chris Forsyth, co-head of the firm’s international cyber security team. “One explanation is that it is a relatively new area that is not well-understood, and buyers are hesitant about how to tackle it.”

Another reason that impedes due diligence is a company’s reluctance to disclose information about cyber risks and events, says Pamela Gupta, president of security strategy firm OutSecure, Inc. “[E]ither...they do not know what is happening on their networks, or…they are worried about the impact that disclosure will have on their reputation and valuation,” she adds.

The need to close a deal quickly may also cause dealmakers to pay less heed to cybersecurity risks. “Merger and acquisition deals always involve a balance of speed and risk: speed to get the deal closed before valuations increase versus the risk of not doing adequate due diligence, especially with regard to information risk management (IRM),” Mary Chaput, CFO and Chief Compliance Officer at Clearwater Compliance, notes in a CFO article.

Giving Due Diligence Proper Due Diligence

Chaput goes on to say that it’s possible “to assess a potential partner’s IRM strengths and weaknesses without slowing down the deal.” During the due diligence phase of M&A, she recommends key considerations:

• Does the target organization have a compliance and security governance committee, a code of conduct for employees regarding data security, and a formal program for managing service providers?
• Have recent assessments or audits been completed on compliance and/or data security programs?
• Review insurance policies for appropriate levels of cyber-liabilty and other types of relevant coverage.

It’s also important to assess all the risks a target organization poses—not just payment and card security, advises law firm Latham & Watkins. Theft of trade secrets, state-sponsored espionage, and cyber attacks are also real threats. I would add that the due diligence extends beyond cybersecurity risks and include risk to customers’ personally identifiable information (PII) and protected health information (PHI) in any form factor because the reputational damage and liabilities from any form of a breach can prove devastating, especially if the targeted organization does not have an effective incident response platform.

Latham & Watkins also note the target organization should have a cross-functional awareness of cyber risk and its security program. For example, board members should view data security, not as an IT issue, but as a governance issue.

Building Awareness of Cybersecurity Risks through Incident Response Management

Ms. Gupta raised a critical issue about companies’ ignorance of their network activity. How can an acquiring company do due diligence when it doesn’t have all the facts? Even more important, how can the target company adequately protect its customers and their data without an accurate assessment of all threats and risks? If these are not properly addressed before any acquisition activity, the dangers to sensitive data will only be compounded as it changes hands.

No organization can afford to be ignorant of its cybersecurity risks—and there’s no reason they should. Plenty of resources are available. Last June, for example, the Federal Financial Institutions Examination Council (FFIEC) released a comprehensive cybersecurity assessment tool to help companies identify their risks and measure their cybersecurity maturity.

Not surprisingly, one assessment factor is cyber incident management and strategy. Each cybersecurity incident, whether or not it blooms into a full-scale breach, is an opportunity to identify the actual risks to an organization’s data. Over time and with the proper incident assessment tools, cybersecurity professionals can determine patterns of threats and identify weaknesses, and properly assign resources to address and remediate them.

The risk is there, yes, but a company who knows its risks, and actively seeks to address them with a combination of preventative and detective controls along with purpose-built incident response management tools, is a far better value than one who buries its proverbial head in the sand.

How to Choose the Right Data Breach Vendor and Ensure Positive Outcomes