Whether pursuing an acquisition, inking a contract with a vendor, or partnering with another firm, companies routinely conduct due diligence to ensure that their investments and operations are financially and reputationally sound. Unfortunately, companies rarely apply these same investigative standards in the realm of cybersecurity. According to a survey of global deal-makers, 78 percent of companies admit that cyber risk is not adequately assessed or quantified in the M&A due diligence process. Given the high stakes of cyber risk and the comparatively low cost of mitigation, companies must begin integrating cybersecurity assessment into their existing due diligence processes.
In the field of cybersecurity, the spectrum of risk is often much broader than it initially appears. Even firms that implement industry best practices can fall victim to a cyber attack if the companies they partner with or acquire have weak cybersecurity postures. For example, the attack that resulted in sensitive customer data being stolen from Target in late 2013 began not as an attack on the retailer’s point-of-sale systems, but on an HVAC subcontractor that was working at several Target locations.
Beyond the substantial cost of remediating a breach, neglecting cyber due diligence may also expose a firm to costly penalties and legal action from US and foreign cybersecurity regulators. Fines can range from the tens of thousands to the tens of millions depending on the severity of the case.
While most US cybersecurity regulation has applied more narrowly to the health and finance industries, the responsibility of regulators to police data privacy practices in other industries has recently been upheld in federal courts. In August 2015, a US appellate court ruled that the Federal Trade Commission may sue Wyndham Hotels for lax information security standards that have resulted in breached customer data.
Damages incurred by a firm may also include substantial non-monetary costs. When firms fail to conduct adequate cyber due diligence, they assume considerable reputational risk. A single data breach can cause immediate and irreparable damage to a brand, with serious long-term consequences.
Despite the broad spectrum of risk in the cyber threat landscape, companies can do much to mitigate cyber risk when engaging with another firm. Whether hiring a vendor, partnering with another entity, or making an acquisition, companies should conduct robust vulnerability assessments that encompass grey hat penetration testing and network topology mapping.
For M&A activity in particular, acquiring firms should try before they buy: an investigation into past data breaches is a critical step in determining the level of cyber risk being assumed. The M&A target should fully disclose forensic data relating to past cybersecurity incidents for the acquiring firm to analyze. Firms that report no record of cyber incidents should come under closer scrutiny, as more than 80 percent of US firms have acknowledged being seriously hacked in the past. This number is even greater for smaller firms and those based outside the United States.
Other inquiries are also necessary in order to ascertain a complete picture of a firm’s cyber risk, including a full examination of the company’s information security policies and procedures. Basic questions to consider include:
- Is there a clear information security policy in place that addresses the use of company data and devices?
- Are there strict and defined user access controls to company systems, and are privileges distributed such that only select users have access to sensitive systems and data?
- How and where is the firm’s data being stored? Is data at rest encrypted? What about data in transit?
- Does the company conduct regular information security training across the organization?
- Does the firm adhere to industry standards such as ISO 27001 or the 2014 National Institute of Standards and Technology framework?
- Is there a robust incident response plan in place?
As an additional measure, companies can also require that vendors and business partners take out a cyber risk insurance policy if a due diligence investigation reveals significant problem areas. However, while insurance can help reduce losses in the event of a cyber incident, it is no substitute for thorough initial due diligence. By carefully investigating the cybersecurity posture of firms with whom they do business, companies can dramatically mitigate their cyber risk and better position themselves—and their customers—for success.