Cybersecurity – The Weak Link in M&A Due Diligence?
Cybersecurity has become one of the biggest risks in business today, but in M&A due diligence of the risks associated with cyber the cyber supply chain and the successful integration of IT within target organisations has been woefully overlooked.
This is borne out by research, including a study of more than 2,700 IT and business decision makers by Forescout:
> 53% of organisations reported they had encountered a critical cybersecurity issue or incident that put an M&A deal in jeopardy
> 65% of respondents said they had experienced buyers’ remorse because of cybersecurity concerns after closing a deal
> Only 36% strongly agreed that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before deal closure
> Among CIOs, only 37% strongly agree their team has the skills necessary to conduct a cybersecurity assessment for an acquisition
Security incidents can expose sensitive or strategic data, incur legal penalties, damage customer loyalty, and cause irreparable harm to company brand and reputation. Conducting a thorough investigation of a target’s security posture not only helps you gain a full picture of risks, it affords the opportunity to mitigate any vulnerabilities before acquisition to ensure maximisation of shareholder value, as well as enable a seamless transition period post-closing.
Can TPRM Processes & Practices Enhance M&A Due Diligence?
Shared Assessments has developed a “Best Practices Guide” for adapting TPRM methodologies and practices in order to improve the depth and quality of cyber due diligence applied to M&A activity. Using TPRM Best Practices and Tools to Inform M&A Transactions outlines specific best practices to help lower risks, discusses acquirer and target viewpoints, provides how-to guidance, and includes practitioner Guideline Tools
Third-Party Risk Management (TPRM) practices are ideally suited to enhancing M&A outcomes. TPRM best practices can be applied broadly to due diligence for any transaction, not just to those risk areas that are typically associated with outsourcing to Third Parties. TPRM is agile enough for M&A’s quick turnaround timelines. The skilled resources required to apply TPRM processes and tools to M&A settings often already exist within organisations under the umbrella of vendor risk management.
By applying the TPRM lens, tools and techniques to M&A discovery processes, a degree of incremental risk can be examined that may otherwise be overlooked, identifying a wider range of risks deeper in the supply chain than is typically achieved in M&A due diligence.
Risks examined can fall across any functional area of an organisation, including the acquiring line of business, business operations, information/cyber security, technology, human resources, physical security, business continuity, Third Party management and oversight, negative news, etc. These risks can be assessed and analysed using existing TPRM tooling and processes throughout the M&A lifecycle as illustrated below.
M&A Phases and Related TPRM Best Practices. Copyright Shared Assessments, 2020
Incorporating proven TPRM practices into M&A activities can provide greater visibility into issues across all phases of M&A due diligence and can yield significant results:
- Efficiency: The information gained through adopting this approach can be expected to improve the efficiency of M&A due diligence, inclusive of continuous monitoring.
- Transparency: This deeper insight can also provide greater transparency throughout the deal. For instance, an improved understanding of risks can be gained about a target company’s geofootprint, financial standing, use and connections to Nth Parties and other essential intelligence. This risk-focused intelligence in turn better informs an early understanding of the consolidated deal risk profile, which can then be examined in greater depth as the deal progresses.
- Effectiveness: By incorporating TPRM best practices into integration planning, potential issues can be revealed early in the deal, exposing latent integration issues and provides the basis for a risk-based, and prioritized deal action plan that can be more effectively executed.
As Shared Assessments conclude in the paper : Because TPRM tools and oversight processes provide such a powerful model for many aspects of M&A due diligence, the risks and opportunities associated with any transaction will come into significantly sharper focus. Throughout the M&A process, all significant risks, including cyber risks, should be brought to the attention of acquirer C-suite management and boards of directors. The board can then make informed decisions and re-examine the organisation’s risk appetite to ensure that known impacts related to the acquisition are taken into account during the deal.
Using this best practice approach to due diligence provides defensible evidence in the event that something comes to light after acquisition that is of negative impact.
Delivering comprehensive insight into IT Risk throughout the M&A lifecycle
DVV Solutions are your trusted partner in M&A cyber due diligence – whether you require support in developing the frameworks and automation tooling to maximise your internal team’s efforts or a permanent, outsourced resource to deliver consistent cyber risk and IT integration assessments on-demand.
Using industry best-practices DVV Solutions has created a suite of M&A Cyber Risk and IT Integration Assessments that add scale and quality to M&A cyber due diligence for your potential acquisitions and the third-party suppliers they rely on.
Contact Us today for a no-obligation consultation.
Learn more about What We Do.