The Importance of Cybersecurity in M&A
A M&A cybersecurity assessment is a valuable tool to better understand the cybersecurity risks organizations face while acquiring another company. A 2019 research study by Forescout interviewed 2,779 companies across all Industry Verticals and underlines the importance of cybersecurity due diligence. Of the participants, 62% agreed their company faces significant cybersecurity risk acquiring new companies, and cyber risk is their biggest concern post-acquisition. Similarly, 53% percent of interview participants reported that their organization has encountered a critical cybersecurity issue or incident during a Mergers & Acquisitions deal that put the deal at risk.
Pre-Deal M&A Cybersecurity Assessment
Due diligence in mergers and acquisitions is too often treated as a defensive strategy that provides a broad, high-level view of the investment and is usually limited to looking into the financials of a take-over candidate — with cybersecurity often treated as an afterthought. Instead, a rigorous mergers and acquisitions cybersecurity assessment should be M&A best practice. This is not only to ensure that the buyer gets the value it’s paying for – but because an oversight in this area can put the entire new organization at risk post-deal.
Not often enough do buyers take a long and hard look at a seller’s cybersecurity capabilities and setup. And even if they look, in many cases they don’t look deep enough. For example, while money spent on high-end cybersecurity tools and technology may give a good initial impression and indeed is a good starting point, proper implementation, maintenance, update schedules, and compliance status with all applicable laws and regulations are at least equally important.
A false sense of cybersecurity is a dangerous situation to be in. Ecuron’s Security Assessment and Cybersecurity due diligence for M&A evaluates the acquisition target’s cyber security programs across core security domains, each of which is mapped to compliance, security and industry frameworks. The Mergers and Acquisitions Cybersecurity Assessment covers the following:
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity
- Compliance
The results of this due diligence provides executives with comprehensive risk related information on which to base their M&A decisions. In particular, it gives answers to the following:
- Are there are compliance gaps?
- What security frameworks and architecture are implemented?
- What is the IT department’s approach and style?
- Were there any security breaches – and if so – how were they addressed?
- Does anything point to potentially undisclosed cybersecurity problems?
- What is the extent of remediation needed and what is the estimated associated cost?
While most cybersecurity assessments are contracted by buyers, a potential seller can also examine its own cyber practices to help reduce time and costs, avoid surprises and put themselves in a favorable position.
Post-Deal Cybersecurity Integration Planning
Beyond Mergers and Acquisitions Cybersecurity Assessments in the pre-deal Phase, Ecuron offers integration planning. In the post-deal phase, a carefully planned integration of cybersecurity between the two organizations is essential. The end goal can be compliance with one of the cybersecurity frameworks such as NIST, ISO 27001, CMMC, SOC2 or others.
Depending on the size of the companies, this integration might require a two-step process: an interim plan from which a long-term strategy emerges. This normalization of divergent security systems, human resources and other systems must include governance, processes, resources and systems. Otherwise, the new company is a vulnerable target during this phase. Factors including a potential lack of clarity or governance, employees who may be uncertain about job security, and security vulnerabilities that can arise during system changes all provide opportunities for cyber criminals and put information at increased risk.
How We Can Help
We provide M&A cybersecurity assessment services tailored to your specific needs. We would love to help as you work towards a successful M&A transaction whether you are considering the first step or are already on the road. To discuss your cybersecurity due diligence needs and schedule a complimentary 30 min consultation, email us at info@ecuron.com , use the form bellow, or give us a call: +1-833-973-1034