In a recent post, we highlighted some pitfalls that can mangle a transaction and expose the acquiring company to additional cyber risk when undertaking targeted acquisitions. For investors, however, the mechanics are somewhat different, and other considerations should be made to ensure cyber risks are correctly identified and formally accounted for. Thoughtful analysis of the threat landscape in conjunction with the deal thesis can help ensure that invested capital reaches its desired returns.
There are some meaningful activities that investors should look for when conducting Cyber Due Diligence on new investment targets.
Differences in Diligence Activities
Traditional diligence activities – financial, tax, etc. – are well-defined, commodified, and can be conducted by any number of advisors. These activities are typically focused on validating assertions and measuring compliance. At best, even the Privacy and Security portions of these workflows become cursory examinations.
On the other hand, a thoughtful Cyber Due Diligence engagement looks to identify risk (not compliance status) and should offer solutions to those risks. These activities are also often complicated by tight timelines, a competitive deal landscape, and limited access (if any) to information systems, source code, and traditional risk management activities like a penetration test or risk assessment, which are impossible to conduct in most deal scenarios.
Instead, Cyber Due Diligence should focus on three key areas: external Threat Intelligence and Attack Surface, internal control posture and governance maturity, and interviews with security leadership.
External Threat Intelligence and Attack Surface
When evaluating any potential investment target, it’s essential to understand their digital footprint, particularly in the eyes of an attacker or other threat actor. Reviewing their digital assets on the surface web and reviewing mentions on the deep dark web can reveal previous breaches, ongoing reconnaissance efforts, or exposed vulnerabilities.
Once these potential threats are identified, the information can be analyzed in light of the target’s internal control posture to quantify the vulnerability better. In traditional security theory, risk only occurs when there is a threat/vulnerability pair – if the threat is present, but you are not vulnerable, then the risk doesn’t materialize. Similarly, if you’re vulnerable, but no threat appears, then the risk is also minimized. Before jumping to conclusions based on the External Threat Intelligence and Attack Surface analysis, understand how the target manages these potential risks through your internal control and governance review.
If your diligence activities uncover an area of concern that the target company was unaware of, don’t assume they were misleading or dishonest. The most likely answer is that they weren’t aware – whether that’s because most organizations today have a sprawling digital footprint that’s difficult to quantify fully or if their business lacks the technical security resources to deploy and manage these assets properly. In either case, it’s a good indicator of additional investment that should be made when the deal closes.
Internal Controls and Governance Maturity
Just because something looks like it might be vulnerable from the outside perspective doesn’t necessarily mean it is. For example, an organization may have many email/password pairs compromised in a third-party breach. The risk is likely minimal if the organization has a robust, mandatory Identity and Access Management program that includes both centralized authorization and multi-factor authentication. If, however, no such control exists, then the risk should be acknowledged for its severity.
This process typically involves reviewing collateral provided by the target organization, including security policies, recent penetration tests and vulnerability scan reports, and the latest cyber risk assessment. If these documents are missing or materially lacking, it’s a good indicator that the organization isn’t proactively managing its cyber risk.
Interviews with Security Leadership
Once these governance documents have been reviewed and reconciled with the External analysis, your Cyber Due Diligence team should formulate questions for the target’s security leadership to clarify any potential inconsistencies and better understand the ground truth of the security program. Common examples needing clarification could be:
- A vulnerability management policy states all patches should be applied within 90 days, but a recent vulnerability scan indicated that some vulnerabilities had been known for 180+ days;
- A security policy that mandates annual penetration testing, but the inability to produce a recent penetration test;
- Understanding whether users must utilize Single Sign On (and the multi-factor authentication that goes with it) for cloud accounts or if they can sign up directly using their corporate email;
Deliverables for Investment Committees
Like any investment, a Cyber Due Diligence exercise should provide a return on investment. Ideally, that comes in the form of a clear, concise answer to the question of “So what?” No organization is perfectly secure, but what the Investment Committee needs to understand is the following:
- What cybersecurity risks were identified during the diligence process?
- How much impact do these risks pose, and how likely would they occur in the foreseeable future?
- What is the level of effort (time and cost/resources) to manage the risk down to an acceptable level?
Additionally, these risks need to be filtered through the lens of the deal thesis – something that can be difficult for a purely technical diligence team without commercial experience:
- If the deal thesis involves transforming a legacy technology business built in data centers into a cloud play, there is likely additional risk;
- If the deal thesis includes leveraging an in-house application that’s never been adequately tested, there is likely additional risk;
- If the deal thesis includes rapidly expanding the existing technology stack, there is likely additional risk.
Facilitating a conversation with investors that helps them understand how cybersecurity might delay or derail their growth plans post-investment is critical, as is helping them chart a path forward. It’s exceedingly rare that findings from a Cyber Due Diligence exercise are enough to kill a deal. Occasionally, they will be the nail in the coffin for a deal that was already on shaky ground, but more typically, the findings here need to be accounted for and managed forward.
In an ideal world, these additional risk management activities can be seen as meaningful investments that will support the growth of the business throughout the new investor’s hold period. A well-documented, well-communicated security program should also help justify an increased valuation at the next transaction when another team will undoubtedly pick up the torch and conduct Cyber Due Diligence of their own.
While Cyber Due Diligence remains relatively rare in the investment market today, conducted only by the most forward-looking and innovative investors, the outsized nature of cybersecurity incidents will drive the adoption of this mechanic to the point where it is a commonplace in the years to come. Conducting Cyber Due Diligence now – and building a security program within their portfolios that will stand up to the scrutiny of diligence activities in the future – is a wise investment, indeed.