No organization is immune from a cyber attack and most have suffered an incident, whether internal or external. When it comes to cyber risk for M&A, the average target company may have hundreds to thousands of attack points. For example, one research study cites that 58% of companies have over 100,000 folders open to every employee. Therefore, it is critical to understand the security environment of a selling company’s assets and cyber defense posture.
Cyber due diligence for M&A allows identification of unexpected integration costs, increased technology and training support, and gaps in cybersecurity capabilities. This type of vulnerability assessment allows the acquirer to make the most informed risk management decision for short term remediation strategy and potential long-term incidents.
Cyber risk for M&A benefits
Cyber due diligence for M&A assesses multiple risk control areas. For example, it identifies any cybersecurity vulnerabilities of the selling company, whether past or present, that could affect the acquirer post acquisition.
In addition, data protection architecture and key management review helps the acquirer determine how and where the seller’s data is processed, protecting, and stored.
Further, it may include reviews of the implications associated with third-party relationships, insider threat risk, and federal regulation and compliance.
Additional benefits of cyber risk assessment for M&A include:
- Identifying and prioritizing data types and critical assets
- Determining new or higher-risk threats
- Making more informed planning decisions
- Preventing deal delays
- Impactful deal valuation insights
7 key areas for cyber risk for M&A
Cyber due diligence of the selling company should focus on the following:
- Determine different technical capabilities and protocols.
- Understand networks system architecture, data flows, and use of third-party vendors, cloud providers, or unknown relationships.
- Review impacts from any prior or active cybersecurity incidents, including data breaches involving intellectual property or trade secrets, and explore potential future impacts on the target and acquiring companies.
- Evaluate any written security program that meets current regulatory and industry standards, data privacy protection, and compliance, including with respect policy, process, and technical controls.
- Assess insider threat risk management capabilities
- Understand the data architecture, including PII and sensitive proprietary information, and/or information provided by customers or third-party partnerships that the acquirer will need to obtain consent for to use of the selling company post-closing.
- Assess the acquirer’s potential liability, compliance posture, and/or notification obligations that might exist after completion of the acquisition.
GPSG’s framework calculates cyber risk for M&A
Applying a cyber risk framework for M&A that focuses on cyber business, operations, defense, and software can help avoid or mitigate any post-acquisition cyber risk impacts. GPSG’s framework includes a matrix for identifying any vulnerabilities and making recommendations for managing M&A cyber risks.
It is comprised of 35 core components covering four primary cyber areas: business, operations, defense, and software. The matrix serves as an evaluation guide for assessing the cyber defense posture of a selling company.
The GPSG Cyber Assessment Matrix for M&A is dynamic. It can be used as a holistic tool or as individual components to address unique business needs.
The framework focuses on maintaining the acquirer’s defensive cyber posture and driving technology resource planning decisions for the acquiring company. Results include actionable recommendations for improving cyber integration between the acquirer and the selling company.
To learn more about this cyber risk management approach to M&A, contact GPSG at cyberteam@gpsg.co for a free consultation.