Pre-Deal Cybersecurity Assessment
Due diligence in mergers and acquisitions is too often treated as a defensive strategy that provides a broad, high-level view of the investment and is usually limited to looking into the financials of a take-over candidate — with cybersecurity often treated as an afterthought. Instead, a rigorous mergers and acquisitions cybersecurity assessment should be M&A best practice. This is not only to ensure that the buyer gets the value it’s paying for – but because an oversight in this area can put the entire new organization at risk post-deal.
Not often enough do buyers take a long and hard look at a seller’s cybersecurity capabilities and setup. And even if they look, in many cases they don’t look deep enough. For example, while money spent on high-end cybersecurity tools and technology may give a good initial impression and indeed is a good starting point, proper implementation, maintenance, update schedules, and compliance status with all applicable laws and regulations are at least equally important. A false sense of cybersecurity is a dangerous situation to be in. Ecuron’s Security Assessment and Cybersecurity due diligence for M&A evaluates the acquisition target’s cyber security programs across core security domains, each of which is mapped to compliance, security and industry frameworks. The due diligence covers the following:
- Context of the organization
- Performance evaluation
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity
The results of this due diligence provides executives with comprehensive risk related information on which to base their M&A decisions. In particular, it gives answers to the following:
- Are there are compliance gaps?
- What security frameworks and architecture are implemented?
- What is the IT department’s approach and style?
- Were there any security breaches – and if so – how were they addressed?
- Does anything point to potentially undisclosed cybersecurity problems?
- What is the extent of remediation needed and what is the estimated associated cost?
While most cybersecurity assessments are contracted by buyers, a potential seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and put themselves in a favorable position.
Post-Deal Cybersecurity Integration Planning
Beyond M&A Security Assessments in the pre-deal Phase, Ecuron offers integration planning. In the post-deal phase, a carefully planned integration of cybersecurity between the two organizations is essential. Depending on the size of the companies, this integration might require a two-step process: an interim plan from which a long-term strategy emerges. This normalization of divergent security systems, human resources and other systems must include governance, processes, resources and systems. Otherwise, the new company is a vulnerable target during this phase. Factors including a potential lack of clarity or governance, employees who may be uncertain about job security, and security vulnerabilities that can arise during system changes all provide opportunities for cyber criminals and put information at increased risk.
Receive Our Latest Posts & Publications