Not often enough do buyers take a long and hard look at a seller’s cybersecurity capabilities and setup. And even if they look, in many cases they don’t look deep enough. For example, while money spent on high-end cybersecurity tools and technology may give a good initial impression and indeed is a good starting point, proper implementation, maintenance, update schedules, and compliance status with all applicable laws and regulations are at least equally important. A false sense of cybersecurity is a dangerous situation to be in.
- Context of the organization
- Performance evaluation
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity
The results of this due diligence provides executives with comprehensive risk related information on which to base their M&A decisions. In particular, it gives answers to the following:
- Are there are compliance gaps?
- What security frameworks and architecture are implemented?
- What is the IT department’s approach and style?
- Were there any security breaches – and if so – how were they addressed?
- Does anything point to potentially undisclosed cybersecurity problems?
- What is the extent of remediation needed and what is the estimated associated cost?
While most cybersecurity assessments are contracted by buyers, a potential seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and put themselves in a favorable position.
Post-Deal Cybersecurity Integration Planning
Beyond M&A Security Assessments in the pre-deal Phase, Ecuron offers integration planning. In the post-deal phase, a carefully planned integration of cybersecurity between the two organizations is essential. Depending on the size of the companies, this integration might require a two-step process: an interim plan from which a long-term strategy emerges. This normalization of divergent security systems, human resources and other systems must include governance, processes, resources and systems. Otherwise, the new company is a vulnerable target during this phase. Factors including a potential lack of clarity or governance, employees who may be uncertain about job security, and security vulnerabilities that can arise during system changes all provide opportunities for cyber criminals and put information at increased risk.