Bob Gourley
Lustig and Sabett put it this way:
Today, it has become apparent that cybersecurity has become one of the areas where substantive diligence should be conducted not just as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. In fact, according to the “Cybersecurity and the M&A Due Diligence Process – A 2016 NYSE Governance Services/Veracode Survey Report,” 85% of public company directors and officers say that an M&A transaction in which they were involved would likely or very likely be affected by “major security vulnerabilities.” In addition, 22% of those surveyed say that they would not acquire a company that had a high-profile data breach, while 52% said they would still go through with the transaction but only at a significantly reduced value. The Verizon/Yahoo! situation and the recent Telstra/Pacnet deal highlights the importance of cybersecurity diligence and the benefits of having carefully-worded contractual provisions to reflect the parties’ negotiated risk-allocation for cybersecurity breaches after a deal is signed.
Cognitio has contributed to cybersecurity assessments on both side of M&A transactions. We have helped acquiring firms better understand the digital risks and security posture faced by the firm they are going to acquire, and we have helped firms that want to be in a better position to be acquired ensure they have taken prudent steps to reduce their digital risks.
If you are on the buy side of an M&A deal, you will want to make sure your cybersecurity due diligence delivers the information you need. This includes:
- Information that may point to not yet revealed cybersecurity problems
- Estimates of the cost to remediate cybersecurity issues
- Information on the risk due to cybersecurity issues, including quantification if possible, since it could impact decisions on whether to consummate the deal or negotiate down the purchase price
- Indications of compliance problems
- Understanding of security frameworks/approaches
- Understanding of the security architecture
- Awareness of breaches and how they have been responded to
If you are on the sell side of an M&A the information above should motivate you to focus on your security posture. Other considerations include:
- Does your entire executive team understand their role in cybersecurity?
- Do you have strong governance (policy, process, leadership) that supports your security compliance requirements (which may well include, for example, the Gramm-Leach-Bliley Act (GLBA), FFIEC, FINRA, FISMA, HIPAA, HITECH, Fair Credit Reporting Act (FCRA), and others
- Do you have an up to date, actionable cybersecurity policy? Do you have an incident response plan? Do you have a privacy policy that is actionable and applied?
- What is the status of your technical defenses?
- Have you had appropriate independent verification and validation of your approach to cybersecurity?
Whether you are on the buy side or the sell side of an acquisition, we recommend you start with a cybersecurity assessment to cover all aspects of cybersecurity people, process and technology. For more on this type of assessment, see the Cognitio Cyber360.
This post first appeared on CTOvision.com - Context For The CTO, CIO, CISO And, please read the originial post: here
