In our previous blog Cybersecurity Within The M&A Sphere, we discussed a broad view of the role of due diligence and understanding an acquisition’s IT infrastructure, cybersecurity risk, and contractual protections.
Here we’ll get into the nitty-gritty of the how and why.
As we know, IT due diligence is crucial for determining a company’s value and for mapping the best course of action for post-acquisition integration, in addition to locating the key risks. Ransomware, phishing, and other tactics are becoming more common and have a significant impact when they occur, providing genuine threats to buyers, third-party creditors, and financing companies from an economic and reputational standpoint. It’s also possible that it won’t be clear how the inadequacies will affect the deal until after closing.
Below we’ve identified seven touchpoints to help identify and mitigate the risks of data privacy and cybersecurity for your subsequent acquisition:
What’s the data say?
Analyze the data’s value, its nature, and how the organisation has categorised it (such as personal, financial, health, or other confidential information). Understand the journey of data collection, use and processing, i.e., what data is collected, how much data is collected, and for what purposes.
How is it protected?
Inquire how data is safeguarded from a technical and governance standpoint, and how the target protects personal information, intellectual property, and other sensitive data. Will the location of data storage be a problem post-transaction (such as storing personal health information in non-Australian cloud services)? Is there appropriate training in place?
Testing 1.2.3.
Is the IT infrastructure design vulnerable? Are systems outdated? Determine if testing and monitoring are implemented regularly. Are frequent vulnerability scans and penetration testing performed?
How’s the target looking?
Are there indications that executive management and Board oversight needs to be improved? Is there sufficient accountability for both security and privacy considerations? Query whether inherent risks arising from the nature of the target’s workforce, location of IT assets, or legacy systems.
Think privacy
Identify and evaluate any applicable privacy laws that presently apply or will apply to the target following the purchase.
What about suppliers?
How compliant are third-party providers with regard to security and privacy? What contracts are in existence, and are they robust? Are there any known cybersecurity incidents involving any of the target’s vendors? Contracts and agreements with third parties should be evaluated in order to determine reciprocal duties linked to cyber threats or breaches.
Get historical.
Inquire whether the target has suffered any incidents or breaches involving data security. Inquire if the Target has processes in place to detect, evaluate, and report data security problems. Does the organisation have a well-defined, well tested, and fully implemented incident response and breach reporting program, as well as the necessary resources to execute it?
Cybersecurity threats are real, but they can be managed with the proper attitude and focus, just like any other risk. Understanding the total risk profile in this area also requires communication and information sharing with commercially focused due diligence and technical IT evaluation.