Acquiring a Company? Make Sure You Do Your Cybersecurity Due Diligence First

Five years ago, analyzing cybersecurity strength was a low priority for private equity firms searching for merger and acquisition (M&A) opportunities — but things have certainly turned around since then. Private equity firms have realized that developing a robust security program within each company in their portfolio goes a long way toward increasing the value of those companies. Now firms are making cybersecurity part of their M&A due diligence process.

But that process is not as simple as it sounds. Firms need to know what criteria to evaluate, strengths and weaknesses to look out for and how much it will cost to either fix issues or enhance the company’s existing security program. So where should you begin?

Perform a Cybersecurity Audit

There are two main reasons to perform a cybersecurity audit on a company you’re considering acquiring. The first is to uncover previous cybersecurity events (e.g., breaches) that may necessitate damage control or paying fines. The average time it takes to detect a breach is over 200 days [1], meaning its potentially devastating impact may not be felt until after a transaction is complete.

Second, you must prevent unauthorized access to the old system by someone such as a former employee, business partner or hacker. Since the acquired company will typically be integrated into your IT infrastructure, your firm is most vulnerable during the technology switchover period (usually the first 100 days of a combination). Running dual systems opens up security risks to both your firm and any other company with network connectivity or shared services.

Auditing the cybersecurity program and controls of a potential acquisition will help protect your business. Audits look for things such as vulnerabilities, license and subscription statuses (i.e., if they’re out of date); the age of hardware and the cost of upgrading; compliance with applicable regulations (e.g., PCI, HIPAA and GLBA); and breach response and mitigation costs.

You should also know if the company has a documented information security program, how it manages vulnerabilities, if it has a risk management plan, if it does penetration testing and what its business continuity plan looks like. Additionally, the company should disclose to you if there have been past cybersecurity issues and what actions it took to mitigate risks for the future.

Don’t Feel Safer Just Because They’ve Outsourced IT

It’s equally important to assess cybersecurity if the company you are acquiring outsources its IT. You don’t know what vulnerabilities that third party has or what it’s doing to prevent breaches. Running vulnerability scans and performing penetration testing will go a long way to discovering whether the potential acquisition’s IT services company has been doing an adequate job. The results will certainly affect your technology integration plans and whether you need to take a different or delayed approach.

How to Get Started

During the “get to know you” phase, conduct a passive cybersecurity assessment of open-source intelligence (OSINT) to see how risky the company is. This would include searching OSINT sources and performing dark-web scans to look for leaked credentials, database dumps and vulnerabilities found on the internet.

Then, during the due diligence phase, review additional information, including independent audit reports and the results of vulnerability assessments and disaster recovery tests.

As a final step, conduct your own independent penetration testing to see how porous an organization is before finalizing the transaction.

If a company hasn’t addressed cybersecurity itself, it certainly calls into question other surprises you may find after the transaction is complete. But if the company’s IT environment and cyber risk are managed well, it speaks volumes about the strength of the management team and demonstrates a well-run organization.

Need help performing a cybersecurity audit? From passive cyber assessments to in-depth penetration testing, Wipfli can help you determine the cybersecurity standing — and overall deal value — of any company you’re looking to acquire. Contact Jeff Olejnik or Michael Vaccarella to learn more.

[1] “2017 Cost of Data Breach Study,” Ponemon Institute and IBM Security, June 2017, https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN, accessed April 5, 2018