The prevalence of data breaches and their growing financial impacts make cybersecurity an important factor for any business. But it’s especially important for companies involved in or planning for an acquisition, merger, or initial public offering (IPO).
The added element of COVID-19 has made cybersecurity due diligence even more imperative. In today’s world of aggressive cybercrime, organizations of all sizes need to get smart, structured, and started with cybersecurity due diligence before transaction talks begin. Doing so could help:
- Strengthen the value of assets being bought or sold
- Facilitate smoother negotiations
- Keep regulatory threats from doing operational or reputational damage before the deal is done
- Reduce related financial impacts
Learn how the due diligence process can help your company reduce risk, build a culture of security, and approach a transaction with confidence.
Effects of a Data Breach
Security incidents and data breaches can hurt an organization in many ways, including:
- Loss of consumer or client trust, damaged public reputation, and decreased profits
- Increased costs spent combatting the breach and reinforcing infrastructure
- Purchase price reductions
- Shareholder lawsuits
- Increased legal fees, including settlements for those individuals whose personal data was compromised and attorney fees managing the fallout
- Delays in a transaction’s completion
- Liabilities for prior unknown breaches or breaches occurring during or after the transition
To help mitigate or prevent these costs, organizations need to proactively approach their transaction preparation process and ask important questions about their cybercontrols. These questions include:
- What controls do we currently have in place, and are they the right kind of controls for the changing nature of the business?
- What are our current compliance obligations? How might they change?
- What opportunities for breaches or new threats are created by this transaction on a human, application, equipment and process level?
- What tests or audits of the cybercontrols have been completed? What were the results?
Increased Cyberattacks Due to COVID-19
Since the outbreak of the COVID-19 pandemic, the number of data breaches has drastically increased. Attackers have focused their efforts on exploiting personnel working from home or targeted systems due to reduced IT and security personnel monitoring their systems.
These breaches and security incidents increase the cyber-risk profile of a potential merger and acquisition (M&A) target.
The figures below show the following cybercrime trends since COVID-19 began:
- There was a 300% increase in the number of reported cybercrimes in 2020, according to the Federal Bureau of Investigation.
- Over 86% of breaches were financially motivated and 22% of breaches were caused by human error, according to the Verizon Data Breach Investigations Report.
- 52% of all breaches in the United States were due to failures at the access control layer—this includes credential theft, brute force login attempts, and phishing—according to the 2020 Phishing and Fraud Report from F5.
Learn more about how to improve your cybersecurity strategy and steps you can take to protect your remote workforce.
Why Cybersecurity Is Critical
Often what’s being sought during an acquisition is a company’s data. Companies don’t just buy companies, they buy value—and the assets valued in an acquisition are the same ones that make it attractive to a hacker.
Attractive Assets for Hackers
- Source code. Code that houses the building blocks of any proprietary software.
- Proprietary information and systems. Databases that include trade secrets, business strategies, product designs, and even operational procedures.
- Personally identifiable information (PII). Data that could identify a specific individual and can be used on its own or with other information to identify, contact, or locate a particular person.
- Protected health information (PHI). Information about health status, provision of health care, or health care payments that can be linked to a specific individual.
- Customer lists. A data set that may contain PII, contact information, proprietary research, financial information, or competitive analysis. This data is usually intended for internal use only.
A cybersecurity-aware company knows where critical assets reside and how safely they’re protected. This is achieved through implementing and consistently monitoring:
- Policies and procedures. Security and related practices, including network infrastructure design, network perimeter protections, antimalware strategy, system security controls, physical access controls, policies and procedures, and security management.
- Data-protection mechanisms. Perimeter security devices, such as firewall and routers.
- Security awareness program. In-depth, required, and recurring employee training around suspicious emails, malware, phishing, and privacy laws surrounding PII. ;
- Robust incident-response plan. Identify roles for personnel and inform them of their responsibilities for reporting or responding to an incident. Ideally, a response plan helps contain and mitigate incidents quickly.
Increased Business Complexities
The complexity of today’s business operations makes it harder than ever to keep data secure. The availability of cloud technologies means critically important information may be stored offsite, while companies that outsource key functions may inadvertently give vendors access to data with inadequate security controls.
Additionally, the ease with which cloud services can be utilized lets anyone send sensitive information outside an organization without its IT department knowing. Learn more about how to protect your organization from the unique cyberthreats posed by COVID-19.
Three-Phase Approach to Cybersecurity
In the COVID-19 environment, companies anticipating a due-diligence review—as either a buyer or a seller—have a lot to sort through. Here are three areas to focus on to bolster your cybersecurity plan.
1. Start Early
Addressing cybersecurity exposure and risk prior to the due-diligence process gives companies a better chance to do the following:
- Demonstrate accurate valuations
- Facilitate smoother transactions
- Achieve a successful deal outcome
Reviewing cyber-risks early also provides companies with a longer time to remediate vulnerabilities and mitigate risk.
An ongoing cybersecurity program—even when a deal isn’t on the table—may make a company more attractive once it’s ready to sell. It can indicate a commitment to security controls and data governance—two qualities highly valued by buyers.
2. Consider a Cybersecurity Due-Diligence Review
At a minimum, a cybersecurity due-diligence review will provide a thorough investigation of the following:
- Security logs for any indication of a breach
- Application and database access levels
- Recent compliance audits
- Third parties and vendors that have access to the systems and data
In addition, companies could benefit from looking closely at these key areas:
- Privileged accounts
- Asset tracking
- Data governance
- Security event monitoring and alerting
- Incident-response abilities
- Disaster- and business-continuity capabilities
- Vendors’ contract language and cyberinsurance policies
- Security awareness training
Learn more about key actions to take during due diligence and others steps to take to lay the groundwork for a smoother M&A transition during COVID-19.
3. Build a Culture of Security
A strong cybersecurity culture starts at the top of an organization—with the board of directors and executive management. According to European Union Agency for Network and Information Security’s Cybersecurity Culture in Organizations report, a cybersecurity culture is the “knowledge, beliefs, attitudes, norms, and values of people regarding cybersecurity and how these manifest in interacting with information technologies.”
What Are Strong Examples of Security Culture?
When individuals know the risks, protocols, and required actions, awareness increases and technical controls become more effective. Companies can greatly benefit from building, maintaining, and testing a strong security-awareness training program.
It’s important for executive management to participate and promote awareness trainings. All employees, contractors, and vendors should also be involved to help verify cybersecurity is top of mind for everyone with access to systems and data.
We’re Here to Help
For more information about strengthening your company’s cybersecurity efforts, please see our Cybersecurity Guide and contact you Moss Adams professional.