Covering your Ass(ets)
When was the last time you bought an item of some considerable cost? Was it a laptop? Car? House?
Before your purchase, did you do your research? I’m guessing you did. As the value increases, the stakes rise with it; therefore, the research increases in line with the investment. Right?
But are PE Houses and the M&A sector doing this when investing or buying companies?
I believe they are, in part, but they’re missing something significant, and it’s an obvious ‘own goal’ when you think about it.
The trick they’re missing; Knowing the difference between Cyber and Info Security.
In today's digital age, technology is rapidly advancing and changing how we do business.
With more and more companies and people relying on digital systems to manage their operations, the risk of cyber threats and data breaches is also increasing. This is particularly relevant in the M&A sector, where companies merge and acquire other businesses.
The more complex an operation or system, the more opportunity for failure, errors, breaches and flaws. These are the windows of opportunity that scammers and hackers are not just climbing through; they’re walking in, closing the door and setting up home!
This is why it is critical to perform Due Diligence that not only looks at the cybersecurity posture of the target company but to look beyond the technology to identify potential risks of failures in controls around people, processes AND technology.
Of course, the sales and marketing departments have done a brilliant job selling us on the ‘Cyber Due Diligence’ process because it sounds far more exciting, scary and… expensive(!) than looking at the more pedestrian parent; Information Security.
Information Security is a risk-based process that should incorporate Confidentiality, Integrity, Availability, Safety and Privacy (the old ‘CIA’ is dead… and avoid anyone who tells you differently).
Forget Cyber Due Diligence – Focus on Info Sec Assessments
Essentially Info Sec Assessments are the process of evaluating a company's information processing processes. From technology infrastructure, security protocols, and cyber risk management practices to how policies are deployed, procedures are followed, and people are trained.
This process should be followed before entering into a business deal. It should be a comprehensive assessment of the target company's data assets and vulnerabilities, including people, process and technology (i.e. hardware, software, networks, data, and intellectual property).
Good Info Sec Assessments help acquirers identify past events, historical issues, and potential risks. This allows the acquirer to quantify the impact of an incident and develop an effective security strategy to mitigate these risks.
This kind of comprehensive assessment in the M&A sector has numerous benefits. For example;
1. Identifying Potential Risks
The assessment helps acquirers to identify potential risks that may affect the target company's operations, reputation, and financial performance. Threats to value can come from various sources, including malicious actors, software vulnerabilities, third-party service providers, intentional (internal) damage, and human error. By conducting a thorough assessment, acquirers can identify these risks and assess their potential impact on the deal's value. This information is critical in negotiating the deal's terms and pricing and developing an effective security strategy as part of the 100-day plan.
2. Quantifying the Impact of Incidents
In addition to identifying potential risks, the assessment helps acquirers quantify an incident’s impact on the target company's operations, finances, and reputation. Incidents can result in data breaches, system failures, intellectual property theft, and regulatory fines, among other things. By understanding the potential impact of these incidents, acquirers can develop a plan to mitigate the risks and ensure a smooth integration process.
3. Developing an Effective Security Strategy
The assessment provides acquirers with critical information on the target company's security posture and practices (including Cyber). This information helps acquirers to develop an effective security strategy that addresses potential risks and ensures a secure integration process. Yes, the focus may be on improving technical controls, but it may also include improved people and procedural controls. The security strategy should consist of security assessments, vulnerability testing, security awareness training, and incident response planning (remember, Having a plan and knowing how to use a plan are two very different things).
4. Enhancing the Value of the Deal
The assessment can enhance the deal’s value by identifying potential risks and developing an effective security strategy. By mitigating these risks, acquirers can ensure a smooth integration process and minimise the likelihood and impact of incidents on the target company's operations and finances. This can enhance the deal's value by reducing the risk of future losses and liabilities.
5. Complying with Regulatory Requirements
The assessment is essential for compliance with regulatory requirements, such as data protection and privacy laws. Many jurisdictions have specific regulations governing personal and sensitive data handling, and non-compliance can result in significant fines and legal liabilities. By assessing, acquirers can identify potential compliance issues and develop a plan to address them before closing the deal.
6. Building Trust with Stakeholders
Finally, the assessment can build trust with stakeholders, including shareholders, customers, and employees. We all know that incidents can erode trust and damage the target company's reputation, resulting in lost business and legal liabilities. By conducting an assessment and implementing effective security measures, acquirers can demonstrate their commitment to protecting the target company's digital assets and maintaining stakeholder trust.
Ok, I get it… Cyber Due Diligence sounds way more interesting than Info Security Assessments. So call it what you like.
But if you only focus on the ‘Cyber’ aspect of the due diligence process, it is like buying a car and only concentrating on the engine as an indicator of the asset’s value.
You’re going to miss other factors that determine the value of that asset; Has it been in an accident before? What is its history? How many previous owners has it had? How has it been cared for? And what are the breaks like?
Suppose your approach to buying a company or investing in one is only to focus on one aspect of info security (i.e. Cyber). In that case, you may be overvaluing (or undervaluing) your investment. This is something I’m sure you want to avoid. Right?