The frequency of cyberattacks and information security incidents in today’s market makes information technology controls vital. Many organizations may already have an information security framework that they use or a firm grasp on their activities that carry the highest cyber risk. But even if your cybersecurity “house” is in order, you may be unwittingly opening up your organization to cyber risks through your complex transactions.
One of the ways your organization can ensure that it keeps its IT function secure through its various business transitions is to enhance and broaden IT due diligence as part of its buy-side or sell-side evaluations.
IT Security Red Flags
You do not have to dig very far into a company’s IT environment to know there are potential problems. There are several warning signs that a company’s IT security is out of date or potentially risky:
Has The Organization Done Any Recent Company-Wide Cybersecurity Training?
Employees tend to be a major target for cyber criminals. If employees aren’t aware of the role they play in email phishing scams or malicious websites, it could indicate there’s a cybersecurity concern.
Are Computers and Equipment Running Up-To-Date Software and Operating Systems?
Data and networks are much more vulnerable to cyberattacks when software, browsers, and firewalls are not up-to-date.
Is Data Encrypted?
Companies should use a cloud service that encrypts by default. If a target company isn’t taking care of its data, the acquiring company could pay the price for a breach.
Bringing Information Security into the Due Diligence Conversation
Many organizations, including private equity and venture capital firms, use tuck-in acquisitions as part of their inorganic growth strategy. Some form of buy-side due diligence generally accompanies the transaction, but that due diligence may be focused mostly on financial performance. As part of the due diligence process, buyers should be thinking more holistically. There are other risks that could affect a target company’s value, such as if a target company is vulnerable to a significant information security breach.
Because of the risks in the information security space, more companies are opting to include IT due diligence in their pre-transaction analysis. If your company is looking to sell, you should be prepared for the request. You may want to consider an evaluation of your control environment—such as through an IT risk assessment, before you enter into conversations with interested buyers.
Components of Buy-Side IT Due Diligence
Buy-side companies can minimize liabilities and risks during transactions by making sure they have an understanding of a target company’s key cybersecurity and data privacy risk mitigation posture. To do this, acquirers should be sure their buy-side IT due diligence reviews:
- Data privacy protocols
- Educational and training programs
- Any existing insurance policies that could cover losses arising from a cybersecurity/data breach
Additionally, buy-side companies should ask the target company to disclose as much information as possible about any potential cybersecurity issues or risk mitigation plans.
Sell-Side Steps to Improve IT Protocol
When it’s your company being sold, you will be on the other end of the magnifying glass. You should evaluate whether your organization has any of the preliminary red flags and consider when you last underwent an IT risk assessment. A pre-sale risk assessment could be valuable, but it’s a process that will be hard to take on when interested buyers are already at the table. IT risk assessments typically take anywhere from two to four weeks and include:
- Staff interviews
- Thorough review of documents related to security programs and procedures, crisis management and incident response plans, vulnerability reports, responses to incident reports, vendor audits, etc.
- A detailed look at any past cybersecurity incidents, how they were handled, and whether your company has interacted with law enforcement or regulators regarding potential cybersecurity incidents
- Searches on the dark web to see if your company’s data or intellectual property has been compromised and is available for sale
In addition to an IT risk assessment, sell-side companies should consider adopting an information security risk framework like the ones compiled by CIS, ISO, COBIT, or NIST. Following industry-recognized IT risk frameworks could make your organization even more appealing to strategic buyers.
Expert Help with IT Due Diligence
Including cybersecurity in your due diligence approach is just good business in today’s environment. Our world is increasingly digitalized and data-driven, which makes cyberattacks a significant business risk. IT due diligence can help both buyers and sellers get what they want from their complex transactions.
Buyers can ensure their acquisition starts strong out of the gate by understanding how the target company’s information security approach aligns with best practices, and their own information security procedures. Sellers can also set themselves up for success for being able to showcase robust information security protocols and procedures.
For more information on how information security can influence your transaction, please contact us.
Published on October 29, 2019
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.