Before a deal closes on a merger or acquisition, due diligence investigation will ensue to confirm goal alignment and identify any obstacles present. There are several integral components of this process such as identifying transaction purpose, legal obstacles, financials, sale history, and technology usage. Cybersecurity has always been on the list, however, now more than ever it is essential to perform inquiries into cyber risk as a separate category of due diligence review and also throughout the life of the transaction. Unlike other investigatory components, teams cannot just review cyber risks once. This instead needs to be a consideration at every stage from strategy through integration.

Every organization with a technology footprint carries a degree of cyber risk, and failure to identify those prior to merging or acquiring another organization can result in disaster. Putting extra effort into cybersecurity review fosters successful, secure transactions and ensures everyone at the table is comfortable or has the opportunity to tailor strategy before it is too late. This is especially true during the due diligence phase to identify overlooked cyber risks earlier on in the timeline.

Five essential considerations for elevating cyber risk evaluation during the due diligence process.

1. Collaborative approach: Create a playbook outlining roles for key stakeholders and who should come to the table at each phase. Having legal counsel direct matters from the beginning of a transaction is beneficial because it provides a layer of privilege protection that can carry forward through due diligence inquiries. Going in with a collaborative mindset not only supports goal achievement for all interested parties, but also offers an opportunity for cyber professionals to have a larger presence throughout the life of the transaction. Developing strategy with “security by design” will help align expectations and ensure that cyber risks are at the forefront of due diligence investigations so teams can identify gaps and react accordingly.

2. Heightened risk factors: Many are not aware that threat actors watch for talk of M&A activity and view this as a time when security awareness falls, thus leaving an organization more vulnerable. This increases the likelihood of ransomware attacks, phishing, and other attempts to access sensitive or proprietary information. Besides the nature of the transaction heightening risk automatically, it is also crucial to identify data breach history, dark web exposure, supply chain activity, contractual obligations, and pending legal action. Being aware of these factors helps teams understand where risk exists and what action to effectuate in order to avoid compromise or remediate before moving to the next stage of the transaction.

3. Cyber strategies: Do not forget to take a deep dive into the acquiree’s cyber program. Key inquiries include policies around personal device usage and remote working, employee training and onboarding mandates, compliance procedures, CISO presence, incident response approaches, audit frequencies, technology vetting process, and other unique cybersecurity controls. Knowing these things before close of deal will make the transition smoother and help determine what to address in order to maintain uniform security practices. It also lessens the risk of overlooking a major responsibility or gap prior to integration.

4. People and technology: Cyber risk can increase based on the people and technology that come along with the transaction, so it is crucial to perform due diligence in this regard. Keep apprised of reputation, market presence, and methodology preferences for the key people coming over. The last is really crucial with technology deployment, as oftentimes people will need certain solutions and processes to continue thriving and contributing in the manner expected after a deal closes. Taking an agnostic approach to technology will help evaluate cyber risk and match current processes to industry best practices. Key stakeholders can discuss assessments, determine risk tolerance, and consider alternative approaches that lessen risk while still advancing goals.

5. Privacy implications: Consider how privacy fits into cyber risk due diligence, as current and future legislation around the globe will continue to influence the level of cybersecurity needed to protect sensitive information. Factors to include in exposure review include applicable laws, global presence, personal data storage, and compliance efforts. Discounting this step and similar obligations such as contractual mandates can result in legal exposure after the deal closes.

Incorporating the above into cyber risk analysis during M&A transactions will enable organizations to better manage risk and make informed business decisions. This requires having collaboration between several key actors including legal, stakeholders, IT, and human resources. Remember that each review will have unique characteristics, which makes proactive cyber screening before jumping into a transaction a crucial asset. Adding internal IT and security professionals or outside consultants to the risk management process is one way to ensure thorough cyber risk due diligence ensues. This will facilitate any changes or discussions needed prior to closing a transaction and guide cyber initiatives after the two organizations become one.

[View source.]