[BreachExchange] Cybersecurity Due Diligence: 6 Key Questions To Ask Your CIO Before An Acquisition

[Audrey McNeil]

https://chiefexecutive.net/cybersecurity-due-diligence-6-
key-questions-ask-cio-acquisition/

Given the current cyber environment—with companies of all types targeted by
hackers, and with large, sophisticated organizations reporting major data
breaches—one would expect cybersecurity assessment to be a standard
component in the M&A due diligence tool kit.

Surprisingly, that’s not always the case: one recent industry study found
that 78% of deal makers believe that cybersecurity is not a risk that’s
currently analyzed in-depth, or even addressed properly in the due
diligence process.

For buyers and sellers alike, expertise in assessing data-related risks
must be applied at the front end of every transaction and throughout the
deal, to gain a reliable and complete assessment of the target company’s
cyber exposure and readiness. This will ensure that deal terms and deal
value are equitable, and that post-closing opportunities to strengthen
security can be implemented. applied.

Here are a few critical questions that buyers should ask, and that sellers
should be prepared to answer, in the due diligence process:

What’s the nature and risk profile of the data? The target company should
clearly articulate what IT systems, data sets and business processes are
most valuable and vulnerable, and explain how the company protects and
exploits them. This review is only partly about data privacy, as
contractual rights and IP protection can also affect the data’s valuation.

What cybersecurity controls and crisis management plans are in place? The
target company should summarize administrative, technical and physical
information security controls that safeguard its most critical data sets.
These include technical controls—boundary and malware defense, data
encryption, intrusion detection systems, etc.—administrative measures and
physical security. A documented crisis management/incident response plan
should also be in place.

How cyber savvy is senior management? If the target company’s senior
leadership does not demonstrate a sophisticated understanding of data
security risks, that suggests the responsibility is siloed within the IT or
information security functions. If the entire internal culture is not
focused on data security, the company is at much higher risk.

What’s your 3rd party exposure? If vendors hold or have access to sensitive
data, the target company should have a formal vendor risk management
program, as well as detailed agreements and supervision disciplines that
address a broad range of legal, liability and procedural issues.

What does your cyber insurance really cover? Most cyber insurance policies
cover expenses related to data breach and privacy crisis management, but
buyers need to closely examine policies for details, such as exclusions,
deductibles, coverage periods and limitations.

Can we stress test your security protocols? A target company’s evidence in
due diligence can sometimes be aspirational, rather than reflective of
operational reality. A primary due diligence objective should be to probe
and test, within reason, whether the target company’s representations stand
up to scrutiny.

Most officers and directors understand the impact of software application
and data security vulnerabilities on their organization’s profitability and
reputation, as well as the disruption to productivity and business
processes. However, M&A practices are only now beginning to adopt the rigor
and sophistication required to properly evaluate those assets and risks
prior to a transaction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171027/26cc88c6/attachment.html>