Historically due diligence assessments before Mergers & Acquisition (M&A) transactions have focused on traditional risk areas that could pose a significant financial risk, like issues of tax, employment, compliance with regulatory environments, intellectual property protection, and of course contracts. Now that technology is a part of every firm’s business model things have changed. Cybersecurity has become part of every M&A due diligence.
Crucial Point has extensive past performance in cybersecurity assessments on both side of M&A transactions. We have helped acquiring firms better understand the digital risks and security posture faced by the firm they are going to acquire, and we have helped firms that want to be in a better position to be acquired ensure they have taken prudent steps to reduce their digital risks.
If you are on the buy side of an M&A deal, you will want to make sure your cybersecurity due diligence delivers the information you need. This includes:
- Information that may point to not yet revealed cybersecurity problems
- Estimates of the cost to remediate cybersecurity issues
- Information on the risk due to cybersecurity issues, including quantification if possible, since it could impact decisions on whether to consummate the deal or negotiate down the purchase price
- Indications of compliance problems
- Understanding of security frameworks/approaches
- Understanding of the security architecture
- Awareness of breaches and how they have been responded to
If you are on the sell side of an M&A the information above should motivate you to focus on your security posture. Other considerations include:
- Does your entire executive team understand their role in cybersecurity?
- Do you have strong governance (policy, process, leadership) that supports your security compliance requirements (which may well include, for example, the Gramm-Leach-Bliley Act (GLBA), FFIEC, FINRA, FISMA, HIPAA, HITECH, Fair Credit Reporting Act (FCRA), and others
- Do you have an up to date, actionable cybersecurity policy? Do you have an incident response plan? Do you have a privacy policy that is actionable and applied?
- What is the status of your technical defenses?
- Have you had appropriate independent verification and validation of your approach to cybersecurity?
Whether you are on the buy side or the sell side of an acquisition, we recommend you start with a cybersecurity assessment to cover all aspects of cybersecurity people, process and technology.
For more information see Crucial Point LLC Technology Due Diligence services.