If you are involved in a Private Equity Group (PEG) considering an acquisition, you have likely begun the due diligence process. While you are evaluating the target company’s financial statements and other key indicators, it’s also important to assess another critical element of the business – the company’s cybersecurity risk exposure.
Risk Assessment
When conducting due diligence, it’s vital to have a competent, trusted risk assessor go into the target on your behalf and give you an objective assessment of the company’s controls. While you can rely on third-party acquisition reports from a trusted source, they may not include information that identifies and addresses your specific concerns.
Compromises and incidents are going to happen, because there’s no such thing as zero risk. The real question is whether the target has reasonable protections and controls in place so it can identify potential issues in a timely manner and react quickly, rather than allowing these issues to linger for months or years.
A breach does not automatically make the acquisition a bad target. However, the company needs to have an information security program in place that is reasonable and appropriate for the size and complexity of the organization, along with assurance that the program is in place and operating as prescribed.
As part of your due diligence, you first want to identify if the company has any known data breaches.
Second, the diligence should focus on the key areas of cybersecurity, which essentially comes down to, “How do you know if you have a problem?”
The answer comes from effective logging and monitoring of systems and user activity; understanding what normal, and abnormal activity is; and whether there is a mechanism in place to actively and consistently tell the target when there’s a problem.
Identifying Processes
Policies and governance are important, but you also need to look at what processes are in place. Sometimes this is as simple as asking for a copy of the company’s most recent risk assessment.
Getting a year-over-year look at the target’s risk assessment, and the overall risk-management plan, helps you determine if it was a comprehensive assessment done by a reputable third party. It also helps you understand how risk is being tracked year over year and provides insight as to whether this organization understands that it has risk and what it is doing to manage it.
Be sure you enter into the acquisition with eyes wide open, so you can make informed decisions about what is good in the organization and assess the critical and minor issues.
The key is having an understanding of why you are acquiring the target and your future plans for it, and then investing adequate resources to conduct a thorough, customized risk assessment to ensure the target acquisition is an appropriate fit.
The Outcome
The results of a cyber evaluation can have an impact on the cost of timing of a deal. A good assessment can identify the areas that are most deficient. Addressing those issues can be costly and time-consuming and the buyer may want these items addressed prior to close which could significantly delay the deal. Alternatively, the buyer may choose to remediate the identified gaps upon deal close. This may affect the purchase price depending on the anticipated costs of remediation. Yet another decision that is sometimes made, is one where the purchasing entity determines that the best course of action is a complete “rip and replace” of technology. If this is the case, then the overall purchase price could change by a large margin.
Van Steel is a Shareholder in LBMC’s cybersecurity service line.