Acquisitions are an ideal time for attackers. With heterogeneous levels of security or uncontrolled interconnections, it becomes possible to attack the acquiring company by rebound, using the acquired company as a gateway.

To manage these risks, cybersecurity must be a key factor in the success of acquisitions and mergers, from the due diligence phase onwards.

Variable cyber needs

Cyber due diligence can bring significant value to cyber, IT and business teams. The results can be used to support decision-making at several levels.

1. Understanding the level of maturity of the target company: analysing security practices and identifying gaps in relation to the acquirer’s standards in order to understand the cyber risks incurred during the integration of the new IS.
2. Test the level of security of a solution (mainly IT or Cyber): ensure security and resilience to confirm the value assessment (compliance with secure development practices, absence of critical vulnerabilities, preventive security measures, etc.).
3. Estimate the cost of the integration: assess the cost of upgrading on the basis of the security debt and the charts to check the relevance of the operation and negotiate the acquisition price which absorbs the integration costs as far as possible.
4. Assess reputational risks: ensure compliance with regulations, particularly on personal data, and the absence of intrusions that could damage the reputation of the acquirer after the transfer of ownership.

Cyber due diligence remains nonetheless a special exercise. The company under review (target) does not yet belong to the acquiring company, and the constraints imposed by the teams in charge of the operation or by business teams can be tough.

A business context to take into account when choosing the cyber due diligence method

On the acquirer’s side:

• The budget: the choice of method is correlated to the availability of cyber security teams or a dedicated budget for calling in an external service. It is preferable to secure a contingency with the M&A teams before any operation, to leave yourself a margin of choice.
• Time: business or competitive constraints can have an impact on the due diligence period. The choice of method depends fundamentally on the time given to the cyber teams to conduct their investigation.

On the identified company side:

• Size: the due diligence method must be consistent with the size of the target company’s information system, the nature of its assets and the types of technology used.
• The “balance of power”: the difference in weight between the acquirer and the target company has a major influence on the possibility of conducting an in-depth and transparent cyber analysis (ability to obtain information, evidence, interviews, tests, etc.).
• The core business: the valuation must focus on what makes the identified company valuable, particularly when it comes to an IT product or know-how.

Based on these criteria, as well as existing processes, the cyber and M&A teams work together to choose the method best suited to their needs and the situation.

Cyber due diligence for every operation

Non-intrusive methods

The cybersecurity team may opt for non-intrusive due diligence methods when they have limited resources or when the target company is coveted by other potential acquirers.

1) The security essentials questionnaire is used to measure the pre-identified company’s maturity in terms of the key areas. It has the advantage of being easy to deploy, without imposing a major burden on either the target company or the acquirer.

• Our conviction: it is particularly well suited to assessing the cyber maturity of small companies (fewer than 50 employees). This questionnaire is to be defined by the cyber security teams in collaboration with the IT and M&A teams.

2) “Automatic” cyber-scoring tools can be used to measure the level of security of assets exposed on the Internet. They have the advantage of providing security teams with an immediate view. Beware, however, that their results can be simplistic, as these tools only focus on the tip of the iceberg (what about partner management, cloud security, etc.).

• Our conviction: we do not recommend prioritising their use in a cyber due diligence context, but they do have the advantage of providing a wealth of additional information quickly if your company has already subscribed to an offer.

In-depth methods

The cybersecurity team can opt for more in-depth due diligence methods when they have the human or financial resources and a “favourable balance of power” in the negotiation of the operation.

1) The Due Diligence questionnaire, based on the acquirer’s internal cyber standards, is used to measure the target company’s level of maturity and to identify any deviations from its own policies and standards, an essential prerequisite for quantifying the potential cyber integration costs.

• Our conviction: this is the most widely used method on the market, and enables us to prepare for the integration (integration scenario, cost scenario, planning, etc.). This questionnaire is to be defined by the cyber security teams in collaboration with the IT and M&A teams.

2) Cyber assessment platforms (such as Cybervadis, Risk Ledger, CyberGRX…) can be used to assess the target company’s level of maturity in relation to benchmark security standards, and sometimes even to obtain upgrade action plans.

• Our conviction: the use of platforms is worthwhile if the target company is already registered/assessed. This also allows to pool resources with your “third party” approach (see RiskInsight article on third party management here). Otherwise, it often takes too long.

3) The technical audit provides an in-depth measurement of the level of exposure of a company or asset. Although penetration testing remains the most comprehensive audit, there are other types of tests that are easier to implement in a due diligence context (AD configuration scan, architecture audit, EDR report, report on penetration tests already carried out, etc.).

• Our conviction: it is generally impossible to carry out tests before closing (the assets have not yet been purchased). In the absence of comprehensive tests, the free version of PingCastle provides a simple, accurate and rapid overview of the security level of Active Directories.

While Cyber Due Diligence is a necessary pre-requisite for all M&A operations, it should serve as a leitmotiv for bringing together cybersecurity, M&A, and IT teams to best guide companies in their transformation.

Finally, there are situations in which Cyber Due Diligence could not be carried out (confidentiality, tight schedule, competitive pressure at the time of the operation, etc.). Cyber Due Diligence is often transformed into a 360° audit carried out post-signing/closing. This audit has a new objective: to help define the integration strategy.

–

We’d like to thank Arielle Attias for her contribution to the writing of this article.

Cet article Cybersecurity: an essential part of the Due Diligence est apparu en premier sur RiskInsight.

This can take different forms; the following aspects are usually examined:

• Finance and accounting (auditing, personnel inventory, balance sheet and profit and loss accounts analysis, forecasted business activity, etc.)
• Legal (company statutes, proceedings in process, patent and intellectual property ownership…)
• Strategy (competitor identification, company strengths, distribution channels, etc.)

Although current affairs and news offer plentiful examples of companies that have been impacted by cyberattacks, the issue of cybersecurity is all too often overlooked with regards to mergers and acquisitions.

But mindsets are evolving: in a recent survey conducted by Freshfields Bruckhaus Deringer, specialists in corporate law, 90% of respondents considered that a confirmed cyber-attack could lead to revise the acquisition cost downwards, and 83% of them thought that an attack during the due diligence phase could simply lead to abandon the deal.

Still, the cyber risk is real: as soon as two IT environments are interconnected, the resulting environment often inherits de facto the lowest level of security of the two. Besides, a merger or acquisition can highlight possible compliance gaps, in a context of increasing scrutiny by regulators all over the world.

Is cyber-risk assessment the next pillar of M&A?

Increasingly aware of this risk, companies progressively integrate the notion of “cyber risk” into their reconciliation strategies. The objective is, in principle, simple: to understand whether the merger of two companies, and thus the likely merger of their Information Systems, increases cyber risk.

There is, however, a major difference between standard due diligence and its cybersecurity equivalent. While accounting and legal regulations are clearly understood and shared at the international level, there is as yet no equivalent in the cybersecurity world. Standards are multiplying (by system type, data to protect, industry, country…), but they only remain good practice references which indicate how to properly implement considerations around cybersecurity – not if they actually were implemented properly. There are some notable exceptions, such as PCI-DSS (protection of credit card data) certified environments, or classified, Defense-type environments. These examples, however, are specific, with very restricted scopes.

For the purchaser, acting in good faith and being unaware of security breaches will do nothing to prevent cyberattacks: in cyber risk, we not only endorse responsibility, but directly the risk itself!

In the same manner, it is neither easy (yet, nor impossible) for a company to ensure that its cyber security is “good”. Managing the Information System in line with today’s best practices does not guarantee that its weaknesses will not be exploited tomorrow.

An M&A context is not the only context of interest for examining the IS security aspects through cyber due diligence. For several years, large international insurers have launched their cyber-insurance offers. In this context, they legitimately seek to know the level of information security of companies for which they will provide insurance. At the minimum, insurers seek to know what general level of cyber-risk they will have to cover. Thus, by upstreaming this type of underwriting, cyber-insurers are now supported by IT security experts, whose role it is to carry out due diligence at a fairly high level.

What approach should be taken for cybersecurity due diligence ?

What is security due diligence? It is neither an innovative technology nor a revolutionary method; rather it refers to the balanced and targeted use of different information security tools.

Several approaches are possible:

• A “comprehensive” approach, consisting of both a theoretical and organizational analysis of security, supplemented by penetration tests to gain a vision as closely aligned to reality as possible. This approach, ideal in essence, is often used in the case of start-up buyouts. However, it is almost never used in larger deals, for reasons relating to both cost and a lack of time.
• An “interview” approach, which involves an evaluation of the situation in relation to a known and adapted reference framework during exchanges with security managers at the company in question. The limitation of this approach is that it is based only on statements and declarations. As such, it does not provide any proof of for what is being put forward. Led by a seasoned expert in this activity, this approach nonetheless facilitates a general view of the type of security practices that have been implemented.
• A “questionnaire” approach is offered as a matter of dealing with answers to a series of questions, usually with multiple choice answers. Beyond the lack of depth of such an approach, its outcome strongly depends on the respondents of the questionnaire, and the manner in which the questionnaire is used. Unfortunately, it is often the case that it is barely read or referenced.

Irrespective of the chosen approach, it can be rolled-out at two stages: an initial analysis to provide knowledge and understanding of the security risks, which must feed directly into the “go / nogo” considerations behind the deal. A possible second step involves more detailed analysis for a more precise evaluation of risk(s) in order to determine the corrective actions.

Cyber due diligence as an input for valuation

Whether it is for acquiring a company or assessing the risk taken by cyber insurers, due diligence must serve as a platform for encouraging further reflection on the feasibility of a deal.

It must also constitute an element of added value for the company, to the extent that conforming to and respecting market best practices can prove to be costly.

Finally, cyber due diligence helps to identify the regulatory aspects that must be respected, such as laws affecting Critical Information Infrastructures (USA PCII Program, China’s Cyber Security Law, France’s “LPM”, Singapore’s upcoming New Cybersecurity Act…) and which may require a certain number of adaptations foreseen on the Information System of the company for sale, and / or the purchaser.

Have we ever seen a cybersecurity due diligence lead to the abandonment of a company purchase? Not publicly. We rather witness the rapid correction of the most serious identified vulnerabilities, or sometimes a decision to not connect certain components of the Information Systems.

Will cybersecurity due diligence have any real impact on transactions? To this question, Verizon provided a response with a figure: in February 2017, the operator decreased its offer to purchase Yahoo by US$350 million. This corresponds to more than 7% of the value (US$4.8 billion) initially offered.

Cet article “Cyber” due diligence is the new asset for business valuation est apparu en premier sur RiskInsight.