Securing the Digital World

Why a Cyber Risk Assessment Is Essential for M&A Due Diligence

Oct 18, 2016 | by RSA |

According to J.P. Morgan, the global mergers and acquisitions (M&A) market amounted to $5 trillion in 2015 and continues to show strong levels of growth. When it comes to M&A, the due diligence process involves investigating the health of another business before engaging in any sort of transaction. This process will take many factors into account, including the target organization's assets, liabilities, finances, and commercial potential.

The Importance of a Cyber Risk Assessment

The due diligence process influences the price that an organization ultimately pays in a M&A deal. If the enterprise uncovers risk, their offering price will be lower. Unfortunately, a cyber risk assessment is often not included as part of the process. In fact, according to a survey by law firm Freshfields Bruckhaus Deringer, 78% of organizations state that cyber security is not included in the risks they deal with or analyze in-depth during due diligence.

Instead, many deal makers rely on statements regarding the state of security from executives or others in the organization, which may be less than reliable. In a recent survey, 60% of high-ranking executives stated they could "truthfully assure the board beyond reasonable doubt" that their organizations are secure. However, less than one-third claimed that they had full exposure to their network infrastructure. As such, they may not be fully aware of all the gaps that exist and where they are located.

Without a cyber risk assessment, the acquiring organization puts itself at risk of taking on unknown security vulnerabilities, which can have a major impact on the organization's overall security level. In order for the acquiring enterprise to put good governance, risk management, and compliance practices into place, they must have a solid understanding of the other company's security posture.

A thorough cyber risk assessment should encompass all parts of an organization's network and security architecture. Best practices call for acquiring enterprises to provide the acquired party with a questionnaire in which it can give a summary of all the administrative, technical, and physical security controls it has in place. This party should be asked to identify its most critical data assets, where its sensitive data is stored, and how this information is protected in motion, at rest, and in transit.

Resilience Required

During the due diligence process, it's important to ensure that the organization being acquired has not only invested in threat prevention and identification measures-which often receive the lion's share of budgets-but also in measures to recover from security incidents and attacks. After all, the latter will influence how resilient the organization is to withstand and recover from security events, and these measures can be used to quantify overall risk. The organization should have a documented crisis management or incident response plan that is updated, tried, tested, and approved by senior management.

As part of a cyber risk assessment, acquiring companies should also determine what percentage of the other party's budget is dedicated to security investments and maintenance. One further area to investigate is which departments have a significant involvement with security matters. This may include business unit managers, the legal department, audit and compliance teams, finance, human resources, IT, and risk managers.

M&As provide a variety of new growth opportunities, but acquiring enterprises must consider them carefully. In order to do so, these enterprises should put a solid cyber risk assessment plan in place.