Cyber security due diligence during mergers and acquisitions
8 min read
07 July 2017
Mergers and acquisitions are complicated. No matter how similar the two parties are, joining them together is always an intricate, complex task – so cyber security due diligence is required.
The due diligence process is well established, with financial experts poring over the target’s numbers and lawyers advising on legal responsibilities to ensure there are no surprises post-close. It’s rarely a simple or quick task, but it’s necessary. How about cyber security due diligence though?
While more traditional areas have long been established, one rising star in the due diligence process is cyber security. With hacked companies hitting the headlines on what seems like a daily basis – and organisations relying more (or even being solely based on) on technology – deal teams are having to take potential cyber risks into account.
Cyber security due diligence is typically carried out by expert external advisors and primarily identifies and quantifies the risks and liabilities in support of a deal and any subsequent integration.
Technical in nature, cyber security due diligence is highly focused and designed to give stakeholders an understanding of any material exposure requiring action either pre or post-close.
The specific risks themselves range from compliance with relevant regulations, through to integrating the acquired business into the acquirer’s environment. Often the target may sell a product or service based on technology that forms the main value of the deal, and in these cases a thorough security review is needed to ensure it is fit for purpose.
Furthermore, if that product is marketed on its inherent security resilience or security functionality the acquiring company must understand the possibilities or circumstances that would undermine this position.[rb_inline_related]
As a deal team you should engage in cyber security due diligence to answer the following key questions:
(1) What is known about security?
During the cyber security due diligence process, new information and context around security and associated risks will be uncovered. Some will be technical, others will be governance or risk-related, but all will have the potential to provide insight and a sense as to how the target treats security, its level of understanding and any future challenges. This can also include searching for previously unknown compromise.
(2) What are the risks?
One of the specific outputs will be identified risks. These risks will be presented in the context of the specific deal and often with quantification as to their potential impact.
(3) How does the target compare?
Often when acquiring a company the acquirer wants to understand if the target is competitive. One of the indicators is how the target compares with its peers, whether in sector, geography or size in terms of security. This assessment allows the acquirer to understand where the target sits in comparison to its competitors and market expectations.
(4) What are the future capital and operational requirements?
One of the biggest considerations is how much money will need to be invested into any newly acquired entity and what form that will take. Providing indicative costings or effort estimations allows the acquirer to factor this into its post-close roadmap and adjust its business case for the acquisition accordingly.
(5) What are the key security considerations for integration planning?
Providing insight into what needs to be done within the first 30, 90 and 180 days helps ensure execution is swift and comprehensive. This, in turn, ensures risk is appropriately managed and return on investment maximised.
It’s not just the general move towards a reliance on technology that will see a greater demand for cyber security due diligence.
General Data Protection Regulation (GDPR) is coming into force in May 2018, and companies that suffer security breaches will face significantly higher fines than they do now – as well as stricter requirements around data processing and storage.
The Information Commissioner’s Office (ICO) can currently issue fines up to a maximum of £500,000. Post-GDPR this will rise to €20m or four per cent of a company’s global turnover – whichever is higher.
We predict these risks will drive key behavioural changes in acquirers and investors pre-close. These will go beyond simply wanting to get warranties from sellers or tick-box compliance validation during due diligence
Instead, we expect to see a deep focus on discovery and validation in a range of strategic and operational risk and security functions due to the increased risk of exposure to regulators, litigation and other punitive responses.
Acquirers will more likely want to discover the unknowns or latent compromises; where there has been a breach that has not yet been discovered. The reason for this focus is the risk to the acquirer of facing a significant fine if a breach is subsequently found or happens once they have acquired the company because of poor technical or organisational controls. Acquiring a breached company, even with warranties in place, will make potential buyers extremely uneasy.
GDPR will also encourage acquirers to understand the real-world effectiveness of security controls and protective monitoring as opposed to focusing solely on compliance.
This change is in part due to the short-term risk presented by a compromise and resulting breach after deal closure and before any integration is complete.
Validation exercises are also expected to look at the completeness and accuracy of personal information inventories, effectiveness of risk management and security operations functions.
In addition, there is the potential for significant costs post-acquisition to bring the new entity up the level required for compliance with GDPR.
In today’s world, most businesses have a significant dependency on technology. As such, the risk posed by poor cyber security to acquirers and investors is ever present.
As with existing legal, financial and intellectual property due diligence, organisations need to consider security as part of both their pre and post-close activities. Cyber security due diligence is vital for protecting your investment.
Having a better understanding of the potential risks and pitfalls from a technical and cyber perspective will help acquirers to get the most from their investment.
Ollie Whitehouse is CTO at NCC Group