The focus on cyber diligence in M&A processes has increased tremendously over the past 10 years. As cyber threats continue to evolve and the value of data increases, organizations recognize how vulnerabilities in an acquired company’s IT systems can impact their return on investment, regardless of the type of business being bought.
“It’s important to recognize that acquirers aren’t just scrutinizing tech or tech-enabled companies’ IT systems,” says Carly Devlin, a Shareholder with Clark Schaefer Consulting. “They’re looking at it in all businesses because they all have a cyber footprint and exposures. So, they’ll do cyber diligence to understand their risk.”
Smart Business spoke with Devlin about cyber diligence and how sellers can prepare for it ahead of a process.
What are buyers looking for within a seller’s cyber footprint?
Sellers should be prepared for buyers to look at all aspects of their IT and digital footprint. Buyers will want to understand any products and services that are currently utilized or offered and how they support the current business. This might include looking at technical specifications, studies, demonstrations of the actual technology and technology roadmaps.
Buyers will want to understand the IT systems environment and the architecture, which would include the current software and hardware inventory. They would want to assess the IT function as a whole for effectiveness, sustainability and potential for integration with other services.
Buyers would also want to understand the management of the IT function — the employee structure, the processes that support the technology, the qualifications and roles of employees and potentially contractors, how the department is structured, any vendors and third parties that are being relied on, and then the associated cost of all of that.
The system’s cybersecurity is also important. Buyers will want to look at governance, regulatory compliance, risk management, specific security domains such as identity management, awareness and training, data protection, and also response and recovery procedures.
What are the red flags that could sink a deal?
One major red flag is if an organization isn’t conducting periodic vulnerability assessments. That suggests a lack of awareness of the technical gaps in their network and that could lead to a major security incident. If there is no risk management occurring at all, the company likely has no idea what their unmitigated risks are and can’t act on them, so there’s likely risk for the buyer.
Policies and procedures are the foundation of any sound security program and buyers will want to see them. Without that in place, there’s nothing governing what an organization is doing from a technology perspective, which signals to a buyer that there’s potentially a lot of other issues.
How can sellers prepare for cyber diligence?
The first step is conducting a risk assessment to identify all the applicable threats and risks related to IT and cybersecurity, and the controls in place to mitigate those risks. It paints a picture of the environment so that the company can prioritize IT and cybersecurity initiatives and take a risk-based approach to remediation. Sellers should also make sure they’re in compliance with applicable regulatory requirements and conduct their own vulnerability scanning to identify any major gaps in the environment.
If the organization has a risk management function, an internal audit function or a strong security group that has a governance, risk and compliance focus, they likely have the in-house expertise to do an assessment. Most companies, however, get help from the outside.
Internal reviews should be done at least six months ahead of taking the company to market. That should give the organization enough time to conduct an assessment and remediate issues.
IT and cyber diligence are only going to become a larger part of the diligence process as organizations continue to rely heavily on technology and data to gain a competitive advantage. The more prepared a seller can be for that diligence, the more likely they are to maximize their company’s value in a sale. ●
INSIGHTS Accounting is brought to you by Clark Schaefer Hackett