The impact of the COVID-19 pandemic is profound – every business has been touched, forcing many to explore how their organizations adapt to the new economy. Some industries have bigger challenges due to the nature of their business – travel and lodging, restaurants, transportation, oil and gas and more due to social distancing ordinances. With these developments, we can expect more companies to look at business combinations and restructuring their operations. Mergers and acquisitions (M&A) activity will very likely increase in the future.
M&A transactions transfer or consolidate ownership of businesses with other organizations. M&As require full audit of companies as part of the negotiation, with business valuation as a key consideration. Risk is an underlying factor for value, with cyber security playing an essential part in the evaluation.
A recent (ISC)² study on M&A and cybersecurity showed that cybersecurity infrastructure as “a tangible part” of the value calculation. In summary, the stronger a business’ overall cyber security program is, the more valuable that business becomes. Cyber security is a tangible asset and must be examined during the M&A process.
M&A Tangible Costs & Cyber Security
Organizations involved in M&A must do their due diligence to minimize risk to their potential investment – this includes review of existing cyber security programs, any data breaches, how they responded to breaches and remediated the incident. Past, present, and future ramifications all count towards value. Governance and compliance areas for M&As examined can include:
Board of Directors/Executive Team
- How involved are any members in the cyber security posture of their organization?
- What is the communication process on cyber security changes, cyber threats, incidents to the executives?
- Do any members have cyber security knowledge/experience? A popular topic, featured in the Cybersecurity Disclosure Act of 2019, which requires disclosure in mandatory annual reports or proxy statements if members of its governing body has cyber security expertise or if there are none, and if other cyber security considerations were rendered.
Risk Assessments & Security Architecture
- What are their current controls and devices being used today?
- Are they practicing duty of care for their security safeguards?
- What diagnostics are regularly used?
- How do they prioritize their security investments to proactively protect their networks?
- Do they utilize attack path modeling or industry cyber threat indexes?
Incident Response & Resiliency
- How long did it take to detect the incident?
- What is the business continuation plan during and after an incident?
- How well did they recover from the breach?
Policies & Procedures
- Are there clear protocols for employees to follow in case of an incident?
- How are incidents communicated and put into action?
- How quickly are incidents disclosed?
Cyber Security Awareness Training
- Are employees regularly trained on best practices to protect data and networks?
- Do they know where to go if they fall victim to a phishing attack?
If One of the Merging Organizations was Breached
- Will there be a cost after the M&A for lawsuits, fines, remediation, or new equipment, infrastructure and additional resources?
- What impact will there be towards the newly merged company’s brand if merged with a breached organization?
Auditing a potential M&A partner is a monumental endeavor – especially in these challenging times. Cyber security can be even more involved, with a new world of remote workers, varying stay-at-home orders by state, changing regulations, and strict budgets and resources. How do you assess what it will take to merge two separate organizations and implement one cohesive cyber security program?
Start the process with an independent information security consultancy that is well-versed in duty of care to guide your reasonable and comprehensive security strategy.
If you are ready to start, let’s talk.
Enhance your security strategy to address your changing working environment and risk profile due to COVID-19.
HALOCK is a trusted cyber security consulting firm and penetration testing company headquartered in Schaumburg, IL in the Chicago area servicing clients throughout the United States.