Steps to a Secure Portfolio: Due Diligence During M&A & Beyond

Gina Yacone
Advisory CISO at Trace3 | + posts

Gina is the Information Security Official for TRACE3’s mountain state region.
Prior to Trace3, Gina was responsible for the protection of numerous organizations as a vCISO. She managed several organizations’ overall security strategy and operations.
Gina was a part of a startup that built a Security Operations Center (SOC), which offered Managed Detection and Response (MDR) and threat intelligence services.
Prior to her work in information security, Gina was a licensed private investigator, where she specialized in high-profile, complex litigation.
Gina is pursuing her master’s degree in cybersecurity. Normally, you can find Gina on a conference stage. She has spoken at over 50 events regarding information security.

Did you know that less than five percent (5%)1 of organizations engaging in mergers and acquisitions (M&A) will consider cybersecurity risk assessments during the M&A process?

- Advertisement -

It is crucial for investment companies to consider the unique risks associated with information security. To avoid costs, investors must prioritize privacy, information security, and compliance concerns at the outset of an M&A transaction.

An M&A process that accounts for these risks can fortify the organization’s information security strategy across its portfolios.

Increased Costs of Data Breaches Affecting the M&A

With the average cost of a data breach being $9.44M2, compromising systems and exfiltrating data is big business. Armed with such strong financial motivation, bad actors are expanding their methods of infiltration. Criminals use the data they steal to resell, make fake identities, purchase items, file fraudulent insurance, and tax claims, and for ransom.

As such, potential investors must investigate a range of data privacy and information security issues when evaluating an M&A target, particularly if valuable data is integral to the deal.

Considerations from legal, technical, and operational perspectives must be evaluated, and buyers should make a thorough assessment of the entity to help manage and mitigate potential risk, liability, and exposure. Due diligence findings may affect not only the purchaser’s valuation but also the contents of the purchase agreement.

Initial Evaluation

In the beginning stages of due diligence, investors must gain an understanding of the acquiring organization’s privacy and information security posture.

terms and conditions

This background information will aid in determining the scope of the privacy and information security due diligence inquiry.

This includes:

  • identifying the data the organization creates, receives, maintains, or transmits particularly any electronically protected health information (ePHI), personally identifiable information (PII), and confidential or sensitive data
  • identifying the IT assets used to maintain, process, and safeguard that data
  • ascertaining when, and by whom, the organization’s last risk assessment and comprehensive pentation test were performed
  • determining the applicable privacy and information security obligations, which may include:
    • regulatory restrictions (e.g., General Data Protection Regulation [GDPR], Health Insurance Portability and Accountability Act [HIPAA], Gramm-Leach-Bliley Act [GLBA], California Consumer Privacy Act [CCPA]), U.S. Securities and Exchange Commission [SEC], etc.)
    • state and local legal obligations
    • industry standards, or
    • contractual obligations
  • being familiar with the organization’s information security and data privacy governance model and risk management process
  • evaluating the potential incompatibilities in IT systems, governance models, and privacy policies between both companies
  • learning whether the organization has any past and/or ongoing criminal and civil litigation suits or investigations
  • reviewing any ownership, court, or real estate records and obtaining any other publicly available information on organizational assets
  • researching news articles that may negatively impact the M&A transaction

Develop a Team

After the initial evaluation, the buyer and acquiring entity need to compile a group of in-house contacts who cover the various business, legal, technical, and financial departments.

This team should:

  • have an appropriate legal team for each party
  • have a privacy and information security due diligence team made up of technical and compliance practitioners
  • establish a process for sharing relevant information
  • identify key stakeholders of the buying entity who are responsible for information security, privacy, and external IT vendors.

The Questionnaire & Document Request

Submitting the due diligence request list to the entity is vital to formulating the scope of the due diligence review.

The questionnaire consists of a list of questions and requests for documents that may include the following IT documentation:

  • information security, information technology, or technology risk management policies and procedures
  • information security documentation (e.g., network diagrams, data maps, data classification schemes, etc.)
  • independent third-party risk assessment and penetration test results
  • any privacy impact assessment results
  • any and all documents related to security control audits
  • copies of the past few vulnerability scans of the IT environment
  • copies third-party contracts relevant to the entity’s technology
  • IT asset inventory list
  • a list of any IT products, technology, or services used by the entity
  • a list and copies of all pending patents and applications
  • a list of all copyright registrations and applications related to any intellectual property
  • a list of all IT trademarks—registered or unregistered
  • the entity’s organization chart, highlighting the information technology, information security, and privacy offices
  • a list of all contractors or consultants who participate in technology development for the organization
  • copies of any IT certifications
  • copies of all security awareness training materials and records
  • a list of all litigation, demand letters, complaints, enforcement investigations or actions, notices of inquiry, settlements, and administrative fines or penalties relating to privacy and data security issues.

The list above is not meant to be exhaustive, rather the items are meant as suggestions to spark ideas for content requests.

Many due diligence questionnaires are over 20 pages long with numerous requests.

Identify Data & IT Assets

It’s critical to identify the organization’s information assets, including data and IT assets.

Understanding the entity’s critical assets and data will enable investors to properly identify risks and liabilities.

Topics that should be addressed include:

  • identifying the data the organization collections creates, receives, maintains, or transmits
  • identifying the source information of data that’s collected, created, received, maintained, or transmitted
  • determining the locations of the data
  • understanding the data flows within the organization
  • understanding the duties of the entity’s disposal processes
  • identifying the security controls used to protect the data
  • ascertaining an IT asset inventory

Overcoming Delays in the Due Diligence Process

Many factors contribute to delays in the due diligence process. Investors can reduce delays by involving the due diligence team from the beginning and giving the IT team of the acquiring organization ample time to collect the requested information.

The buyer must identify all the potential liabilities that could affect the investor’s valuation of the organization. A strong understanding of the legal and contractual obligations, regulatory guidelines, breach costs, and industry standards is vital to truly evaluate the organization’s exposure.

Conclusion

An organization’s cybersecurity strength and security posture directly affect the value of a potential deal.

Similar to the criticality of sending a diligence team to check the financials of an organization, it’s equally important to engage a team to discover the risks and liabilities surrounding an organization’s cybersecurity program and IT stack. Overlooking warning signs can have ramifications that devalue an organization after the M&A process; therefore, investors must complete a thorough due diligence check to understand the potential investment.

1 Source: https://www.forescout.com/company/resources/cybersecurity-in-merger-and-acquisition-report/

2 Source: https://www.ibm.com/reports/data-breach

Gina Yacone
Advisory CISO at Trace3 | + posts

Gina is the Information Security Official for TRACE3’s mountain state region.
Prior to Trace3, Gina was responsible for the protection of numerous organizations as a vCISO. She managed several organizations’ overall security strategy and operations.
Gina was a part of a startup that built a Security Operations Center (SOC), which offered Managed Detection and Response (MDR) and threat intelligence services.
Prior to her work in information security, Gina was a licensed private investigator, where she specialized in high-profile, complex litigation.
Gina is pursuing her master’s degree in cybersecurity. Normally, you can find Gina on a conference stage. She has spoken at over 50 events regarding information security.

Exit mobile version