A transaction can be an exciting time for all parties involved. Amidst all of the excitement, it can be easy to overlook certain aspects of the M&A process. Planning and executing a proper approach to assessing the cyber risk of an organization can save the acquiring company both time and resources. Cyber M&A activities can include various efforts related to screening and assessing targets, integrating target environments and users, and continuous improvements post-integration. Best practices for conducting Cyber M&A include:
- Start the cyber diligence process early: Often times cyber diligence is overlooked until later in the M&A process. Starting cyber diligence prior to negotiating the deal can allow for more impactful and meaningful findings.
- Involve cyber experts: Involving cyber experts in the M&A process will lead to more effective findings. Cyber experts can be in-house team members, or outside resources that have demonstrated an expertise in Cyber M&A. Cyber M&A experts know what they are looking for and know how to create meaningful conclusions.
- Prepare a standard list of document requests: A standard list of document requests will allow the Target cyber team to supply available documentation ahead of the management interview. By leveraging a standard list that includes areas of high maturity, the buy-side team will also identify gaps in the Target’s cyber capabilities or documentation.
- Ask relevant questions during the management interview: Asking confirmation level questions will allow the buy-side team to spend less time on topics outside the scope of the deal.
- Communicate with stakeholders: Any finding could become a significant finding to the deal. All findings should be communicated to the proper stakeholders. An open line of communication with stakeholders will allow critical findings to be effectively resolved in a timely manner.
10 Tips to Success:
- Involve the proper stakeholders and cyber experts early in the deal process
- Include both technical and strategic assessments
- Treat cyber risk remediation efforts different from integration efforts
- Identify the resources responsible for each phase prior
- Leverage common resources across the diligence and integration phases
- Coordinate with other diligence and functional teams to effectively learn from one another
- Prepare a plan for each management interview session that excludes areas already covered by documentation or other interviews
- Ask follow up questions to answers given by management in interview sessions
- Be transparent about risks identified within the target environment
- Raise high risk findings to the proper stakeholders as soon as they are identified
- Not enough data made available to the diligence team within the diligence timeframe
- Low maturity of cybersecurity policies, processes, and programs within the Target environment leaving little to no information for review
- Lack of documentation surround prior incidents or events (especially when Intellectual Property may have been exposed)
- Existing attackers already in the target environment
- Outdated or insufficient asset inventories at the target that do not include criticality of assets
- Unwillingness of target function leaders to share information (typically found mostly in carve out scenarios)
- Insider threats (malicious and unintentional) impacting data availability
- Excitement from deal leadership creating an expedited process and unclear diligence findings
- Unavailability of target leadership causing delays in the diligence process
- Lack of clarity surrounding the deal thesis and the overarching goal of the transaction
Each transaction will share a general process when conducting diligence but will likely include various findings. For someone that is new to Cyber M&A activities, there might be many surprises along the way. Surprises can come from both sides of the deal, including:
- Lack of clarity around the deal thesis from the buyer: The buyer may not provide context for the deal to all diligence teams. Most commonly the buy-side team has a defined deal thesis, reasoning for conducting the transaction, but may not share the goal with each diligence team.
- Target leadership may not share critical information: target leadership may not share critical information to the deal for many reasons. The most common reasons include a lack of understanding, and lack of availability of information. target leadership may also try to “hide” certain information they deem to be harmful to the valuation of the deal.
- The buyer often does not have a direct open line of communication with the target leadership team: In many deals, especially those with large valuations, the target and Buyer will define a standard process of communicating. This process can often include specific channels that each team must use to document any requests or questions.
- Cyber can be seen as a “check-the-box” diligence item: Cyber M&A activities can uncover many gaps in maturity within the target organization. The gaps identified can often be high cost and high effort remediation items if the deal progresses. Leadership may not have the dedicated resources to remediate all diligence findings.
Where Reveal Risk can help:
Our team of Cyber experts can help assess the landscape at potential targets, or ready your environment for an acquisition or divestiture by:
- Uncovering risks, both technical and strategic, within the target environment
- Identifying costs associated with one-time and recurring efforts that effectively achieve the goals of the deal
- Develop an effective integration strategy that enhances your environment while combining with the newly acquired organization
- Creating and refining a repeatable Cyber M&A playbook for use across each phase of a transaction
I have been involved in many Cyber M&A projects, including pre-diligence, diligence, sign to close, and post-close. Throughout my experience I have helped organizations both invest in new companies and divest in existing areas. The projects that I have been a part of have crossed many industries including, healthcare, pharmaceuticals, technology, physical security, manufacturing, defense, and others. The size of the companies I have advised also varies greatly, from small organizations looking to make their first acquisition or sale, to large Private Equity firms looking buy another portfolio company. Through all each project, I continue to learn more about the most effective way to mitigate risk before, during, and after a transaction.