This article first appeared in the August 2023 issue of Financier Worldwide magazine. Permission to use this reprint has been granted by the publisher.
FW: Could you outline some of the main reasons why cyber risk should be considered an important part of an acquirer’s due diligence process?
Owen: Assessing the impact of a cyber incident or data breach on the financial and reputational health of a company is essential to any due diligence process. Cyber risk can have significant impact on a company, from operational downtime and financial effects to punitive regulatory and legal actions, not to mention reputational damage and a loss of trust among customers and clients. Put simply, threats continue to evolve, shaped by rapid technology adoption and global digital interconnectivity, making cyber risk a strategic and board-level issue for every company. Understanding cyber risks and the exposure of a company to past, present and future incidents, including its ability to recover from an attack, can make or break a deal. It is why we are seeing acquirers put more emphasis on evaluating the viability and risks of a potential investment.
FW: In your experience, do acquirers generally pay enough attention to cyber risks during a deal? To what extent is awareness of the issue increasing?
Owen: Many acquirers still fall into the trap of seeing cyber risk as an IT-only issue, rather than as an enterprise-wide risk that can impact reputation and financial standing. The scale of cyber threats and the importance companies place on technology and data mean cyber due diligence should be routinely factored into the pre-acquisition decision-making process. The good news is that awareness is increasing, particularly where the target company has a large digital footprint, or where there is a high perceived level of risk based on its location or sector. Tighter regulation is helping. Deal teams are also using cyber diligence to identify existing or future risk challenges, inform negotiations and assess the cost of post-deal remediation and integration. We have also seen some acquirers use company-specific findings to develop a wider benchmark of the risks related to future acquisitions based on bespoke thresholds and risk-tolerance levels.
FW: What are the potential downsides for buyers that fail to conduct a thorough cyber risk assessment on a target company before closing a deal? What kinds of liabilities and threats to post-deal value creation might arise?
Owen: Unknown cyber breaches in a target company can lead to financial, reputational, regulatory and legal impacts on the company, including fines from regulators, legal action from affected customers and clients, and loss of customer and market reputation and trust. All of these can have long-term impacts on the financial value and market position of the target company. Growing regulatory attention and public awareness of data breaches mean companies are increasingly scrutinised, not just for the breach itself, but also their response to and handling of an incident, which can prolong and exacerbate the impact on its financial and public standing.
FW: What steps should an acquirer take when conducting cyber due diligence? What key aspects need to be analysed?
Owen: A red flag or more comprehensive process would always commence with an outside-in approach, involving a passive online and technical assessment of the target’s perimeter security. The objective here is to uncover evidence of any undisclosed or unknown cyber incidents, as well as the intent and capability of cyber threat actors to exploit any identified vulnerabilities. This would then inform the level of security controls needed to mitigate the threats the target faces. In more complex or high-value investments, an inside-out phase is required to assess the maturity of the company’s security controls, based on the threats it faces and industry good practice, typically involving a review of policies, interviews with key stakeholders, and a National Institute of Standards and Technology (NIST)-based questionnaire. Regardless of whether this is a red flag or more comprehensive approach, the purpose is to arm the acquirer with a clear picture of the cyber risks it is taking on through its M&A process.
FW: Are there any typical red flags that might suggest a target company has cyber security vulnerabilities or weaknesses in its network infrastructure?
Owen: One clear red flag would be where a target is named on a data leak site, suggesting threat actors have already exploited a weakness in the target’s IT estate. Similarly, if the diligence identifies exposed credentials on a cyber criminal forum or marketplace this could constitute a significant exposure that could facilitate an attack. A target’s threat profile, including its sector and geographic footprint, provides vital context. Those that hold sensitive intellectual property (IP) or large amounts of personal information can also be a red flag if the due diligence process identifies evidence or indications of past breaches and technical vulnerabilities. Other red flags include poorly maintained web-facing infrastructure, inadequate mechanisms to detect, measure and manage cyber risks, and limited education of staff to ensure they can identify, manage and report social engineering attempts; in other words, is the company practising good risk management across the three pillars of cyber security – people, process and technology?
FW: In what way can new technology enhance the cyber due diligence effort and validate a target company’s defences?
Owen: Automated tools that passively assess traffic leaving a network can be a cost-effective way of initially evaluating a target’s security posture. We are likely to see continued automation of these tools, including by integrating threat intelligence to help contextualise the vulnerabilities identified in the scanning process. This will be beneficial for acquirers because it will make scoring vulnerabilities, which is typically quite arbitrary, a more valuable metric of risk versus threat. That said, it is important to recognise the limitations of these tools and the need for human analysis to supply the context and nuance they do not provide and answer the ‘so what’ question. A passive and non-intrusive technical scan of a target organisation’s web domains is also needed to avoid violating computer misuse and other relevant legislation.
FW: Looking ahead, do you expect cyber risk to continue climbing the M&A risk register? How do you expect cyber due diligence procedures to evolve?
Owen: Cyber risk is rightly climbing up the M&A risk register process, reflecting its increasing visibility as a board-level issue for many years now. Identifying these impactful and sometimes existential risks in M&A diligence is simply good risk management practice. It can help shed light on issues that would otherwise remain hidden, while in a post-transaction context it can also help protect value, prioritise remediation and minimise regulatory exposure, often at a portfolio-wide level. Cyber diligence is today much more tailored to the risk scenarios of the target company. For example, if the target is a manufacturing company there should be increased focus in the diligence process on critical third-party supply chain relationships, or on indications of past breaches or inadequate controls in the event the target company holds highly sensitive IP or large amounts of personal information. In other words, cyber diligence is at its best when it is tailored to the target company’s unique threat profile and risk context.