If you are involved in a Private Equity Group (PEG) considering an acquisition, you have likely begun the due diligence process. While you are evaluating the target company’s financial statements and other key indicators, it’s also important to assess another critical element of the business – the firm’s cybersecurity risk exposure.
Risk Assessment
When conducting due diligence, it’s vital to have a competent, trusted risk assessor go into the target on your behalf and give you an objective assessment of the company’s controls. While you can rely on third-party acquisition reports from a trusted source, they may not include information that identifies and addresses your specific concerns.
Compromises and incidents are going to happen, because there’s no such thing as zero risk. The real question is whether the target has reasonable protections and controls in place so it can identify potential issues in a timely manner and react quickly, rather than allowing these issues to linger for months or years.
A breach does not automatically make the acquisition a bad target. However, the company needs to have an information security program in place that is reasonable and appropriate for the size and complexity of the organization, along with assurance that the program is in place and operating.
As part of your due diligence, you first want to identify if the company has any known data breaches.
Second, the diligence should focus on the key areas of cybersecurity, which essentially comes down to, “How do you know if you have a problem?”
The answer comes from effective logging and monitoring of systems and user activity; understanding what is normal and abnormal activity; and whether there is a mechanism in place to actively and consistently tell the target when there’s a problem.
Identifying Processes
Policies and governance are important, but you also need to look at what processes are in place. Sometimes this is as simple as asking for a copy of the company’s most recent risk assessment.
Getting a year-over-year look at the target’s risk assessment, and the overall risk-management plan, helps you determine if it was a comprehensive assessment done by a reputable third party. It also helps you understand how risk is being tracked year over year and provides insight as to whether this organization understands that it has risk and what it is doing to manage it.
Be sure you enter into the acquisition with eyes wide open, so you can make informed decisions about what is good in the organization and assess the critical and minor issues.
The key is having an understanding of why you are acquiring the target and your future plans for it, and then investing adequate resources to conduct a thorough, customized risk assessment to ensure the target acquisition is an appropriate fit.
Van Steel is a Senior Manager in LBMC’s Information Security division.