Cybersecurity due diligence in mergers and acquisitions

The following is part of a series of instalments providing concise summaries of selected chapters from the New York Stock Exchange’s definitive cybersecurity guide, Navigating the Digital Age.

This blog summarizes ‘Cybersecurity due diligence in M&A transactions: Tips for conducting a robust and meaningful process’ by Latham & Watkins LLP – Jennifer Archie, Partner. Please refer to the original article for any direct quotations.

When you buy a company, you buy its data – and the risks associated with that data, making it important that you ensure you’re buying the company in a state where data is protected.

Performing due diligence before buying an organization isn’t new, but the importance of cybersecurity risk is moving its way up the list of priorities and becoming a risk category in its own right.

Buyers should begin all cybersecurity risk assessments early in the engagement process, with the goal of clearly articulating the target company’s most important information assets, systems, and business processes.

Even at the earliest stages, the seller should be prepared to identify and discuss the following at a high level:

  • The types of information or computer systems and operations that are most important to the business
  • The sensitive types of data that the organization handles or holds relating to natural persons (and which data elements in particular)
  • Where sensitive information is stored
  • How it is protected in transit, at rest, and in motion
  • The most concerning threats to information, networks, or systems
  • Whether there have been prior incidents
  • The cybersecurity budget
  • Recovery plans if critical information or systems become unavailable

If the frontline personnel respond, “I don’t know, I’d have to ask,” this is a telling and interesting sign that the target company’s security management program is likely not well integrated into the senior leadership ranks – and that’s not good.

What’s important to find out?

A risk assessment is built on questions – lots of them. So, if you’re looking to acquire a business, you’ll want to ask the following:

  • Is there a single designated person with overall responsibility? To whom does he or she report?
  • Describe board oversight. Have directors and senior managers participated in data security training/been involved in the development of data security protocols?
  • Does the company have legal counsel regularly advising on data security compliance? Is counsel internal or external, and, if external, who?
  • How does the company educate and train employees and vendors about company policies, information security risks, and necessary measures to mitigate risk?
  • How can employees or members of the public (such as independent security researchers) report potential vulnerabilities/ breaches, including irregular activity or transactions?
  • What is the plan to recover should critical or other necessary systems become unavailable? What are the recovery point and recovery time objectives? How have these and other elements of the plan been correlated to business needs?
  • Have you suffered thefts of confidential data (wherever stored)?
  • Has your network suffered an intrusion?
  • Did you retain outside experts to investigate?
  • What is known about the attackers and the attack vector?
  • What data do you suspect or know were taken?
  • How long between the first known intrusion and discovery of the incident?
  • Do you suspect or know whether the thief or intruder attempted or made fraudulent or competitive use of exfiltrated data?
  • During the past three years, have you experienced an interruption or suspension of your computer system for any reason (not including downtime for planned maintenance) that exceeded four hours?
  • Has the target company evaluated its exposure to such attacks?
  • What measures does it have in place to defend itself?
  • How would it know if such an attack was occurring?

And that’s just the start.

Preparing for a sale

If you know that you intend to sell your organization within the next few years, then I’d strongly advise that you prepare for the expected due diligence examination of your cybersecurity efforts.

By implementing an internationally recognized information security management system (ISMS), you’ll be able to demonstrate to your buyers how you deal with cybersecurity risk, thus likely reducing the time it takes to complete the sale, and maybe even increase the value.

You can find more free information about ISO 27001 here >>