Essential Tips for Cybersecurity Due Diligence When Buying or Selling a Business
With everything that has taken place as a result of COVID-19, many businesses have been put in a position of struggle for survival. While there are business owners ready to fight the fight to stay in business, other CEOs and business executives are ready to move on to something else, and to sell their companies, whether buyer or seller; cybersecurity due diligence for M&A is something of great value for your business.
Remember the Verizon acquisition of Yahoo in 2017? Do you remember what happened following Yahoo’s security breach disclosures? There was a USD 350 million acquisition price cut. In addition to a possible price cut due to lack of security, studies have shown buyers’ remorse following the acquisition of a business that didn’t have the proper cybersecurity posture in place and also that M&A (Mergers and Acquisitions) deals have been put in jeopardy because cybersecurity steps weren’t part of the company’s operational foundation.
With this in mind, we have created a simple cybersecurity guide to assist you with due diligence in cybersecurity for your potential selling or buying or M&A deal.
Evaluate the following company’s cybersecurity areas pre and/or post-transaction.
Cybersecurity maturity
What does the company’s cybersecurity posture look like? From security assessments to network scanning and external and internal vulnerability assessments to third-party and business associates (BAs) security assessments and agreements.
Every aspect of the business operations should entail a step in assessing, mitigating, and continuously monitoring security measures for a high level of cybersecurity maturity. Low cybersecurity maturity is present with a minimum of all the components required to meet general compliance and regulation requirements. In contrast, mid-level cybersecurity maturity entails more than doing the basics. Still, it is not being invested in a way to keep up with every aspect of a 360-degree cybersecurity posture.
Cybersecurity hygiene and culture
What steps are taken daily to ensure that data is guarded against accidental access of unwanted or unauthorized parties; that phishing emails are spotted and reported; and that working from the office or home/remotely is done so as securely as possible?
It is also essential to know if basic security hygiene is maintained through employee training; if there is CIO and CISO fluid collaboration and communication with each other, the board, employees, HR, and the CEO; and that cooperation across the company is in the forefront with at least the minimum cybersecurity steps in place. A supportive work environment from leadership when it comes to all cybersecurity matters is what helps with doubt, insecurities, and mistakes that can take place. Transparency is key to building trust, which you gain from good cybersecurity culture and hygiene.
Data risk profile
There are many types of businesses out there, and each type holds a type of data. As we know, data is what cyber criminals want from all companies. However, some data is worth a lot more than other types of data. Essentially, this is why you want to profile the company’s data type.
While hospital and financial company data grow in value every year, things are getting a bit meshed together now that COVID-19 has forced companies to hold some of the healthcare data once only accessible to hospital providers. This is why, at this point, every company wants to look closely at the data it is storing, where it is stored, what is necessary to keep, and what can be deleted.
The new privacy laws in place (from CCPA to GDPR) have helped companies compliant to have this type of information readily available or easily organized and located, especially if you have a CDO (chief data officer).
Compliance regulations
If your company needs to meet HIPAA, NIST 800-171, CCPA compliance, or other compliance regulations, you should also evaluate these areas.
Cybersecurity due diligence elements should be key in your M&A (selling or buying) transaction to ensure other areas of interest aren’t overlooked. Gaining a thorough understanding of the company’s cybersecurity state will minimize the likelihood of unwanted surprises.
In Conclusion
It is also always advisable to have a security expert that can dedicate their entire time to conducting the cybersecurity due diligence elements for an M&A or selling or buying transaction to ensure additional areas of interest aren’t overlooked.
The reality is that you want to do a thorough job of assessing the company’s cybersecurity status; this will reduce the likelihood of unwanted surprises.
If you need help with your M&A cybersecurity due diligence for selling or buying a business, give us a call.
Schedule your free consultation today!
Photo Courtesy of Dusit