Cyber due diligence: considerations before a merger or acquisition


private equity, cybersecurity, hacking, technology, TetherView, Michael Abboud
Michael Abboud, founder and CEO of TetherView. Photo courtesy of the firm.

By Michael Abboud, TetherView

Do you have any idea how often hackers attack? A University of Maryland study says a cyberattack on average happens every 39 seconds. That’s 2,200 attempts a day, more than 800,000 a year. Countless companies — Sony, JP Morgan, Target and Equifax, to name just a few — have fallen prey to cyberthieves.

On average, a single data breach costs nearly $8 million. Worse, it takes more than six months on average for a data breach to be spotted in the first place. Many companies don’t even realize that they’ve been hacked.

So performing cyber due diligence before a merger or acquisition is essential. While your company may be top-notch in terms of cybersecurity, you have no guarantee that your target company is.

What’s at risk? Many companies significantly underestimate what a single breach can do:

  • Business interruptions. While ransomware is possibly the most clear-cut example, dealing with any kind of malware leads to downtime while the virus is dug out and eradicated.
  • Loss of intellectual property and other records. Whether hackers make off with proprietary information or company, employee, customer and vendor data, the fallout can be intense – and costly.
  • Compliance violations. For organizations governed by HIPAA, GDPR, SEC, FINRA, NYDFS, PCI and other standards, recovering from a cyberattack is dramatically harder.
  • Damage to reputation and business. This is incalculable.

Without proper preparation, integrating your target company could introduce serious issues into your organization.

So be straightforward with the target. Ask the CEO and CTO whether they’ve been hacked – but be mindful that they might not know.

Conduct the following examinations of the target, its key personnel and its major suppliers:

  • Dark Web Analysis: The Dark Web, inaccessible via standard internet browsers, contains extensive data and private sites. Many breached databases, credentials, personal information, and other sensitive data can be found there. The goal is to ensure no company-related data appears there.
  • Social Media Analysis: Are executives and decision makers living a “social” life? If a bad actor knows the CFO’s nickname and knows that he or she is going on vacation to a specific location, that information that could be linked to a company account’s secret questions.  A well-structured social media analysis can create a risk matrix and address vulnerabilities before they escalate.
  • Extensive Internet Search: Do you know what the Internet says about the company? Understanding what the market thinks is critical for your brand image and customer service. But past or current employees might also be giving away company secrets and operational knowledge.

Review the target’s information-security standards ­– including plans, procedures and policies. Carefully go through its incident-response methods, business-continuity plan and disaster-recovery procedures. If the target has done a cybervulnerability assessment, review the findings from any penetration testing. Then ask a separate firm to conduct new assessments.

Examine the company’s cybersecurity employee-training program. Assess infrastructure and software. Evaluate IT personnel for competence and capabilities. Monitor corporate networks and review user activity.

These steps will gauge the organization’s current state, increasing the odds that you’ll spot any issues.

Evaluate the organization for compliance and whether it adheres to a recognized cyberframework. NIST and ISO are recognized standards, guidelines and best practices designed to mitigate cybersecurity risk through increased control, proper data handling, and other essentials. If a company does not rely on a known framework, that may be a red flag.

Once the deal is set, your work isn’t done:

Do another cyberrisk assessment to review the current state of the combined organization.

Enhance IT operations, especially if any shortcomings were previously noted. Partner with a managed services provider that specializes in technical operations, compliance, and cybersecurity, to reduce overhead costs while increasing cybersecurity capabilities.

Consider implementing a private cloud and virtual desktop infrastructure solution to create a more secure environment, while enhancing mobility. This will enable you to adapt to changing personnel needs, ensuring you have the proper service level at all times.

Michael Abboud is founder and CEO of TetherView, the Oceanport, New Jersey, provider of secure and compliant private cloud solutions. Reach Michael at +1 732-898-1149, [email protected], and www.linkedin.com/in/michael-abboud-49525aa/

 

Do you want exclusive news and analysis about private equity deals, fundraising, top-quartile managers and more? Get your FREE trial to Buyouts! Or subscribe now!