Cyber Security Services

M&A Cyber security due diligence

(CSDD)

The cyber resilience of a company and any history of data breaches is having a significant impact on determining the outcome of a merger and / or acquisition.

Data is now the prime asset of most companies and given the substantial ramifications of a data breach in the context of an M&A the risk assessment now precedes financial, tax and legal assessments.

Cyber Security in the framework of an M&A

According to the American Bar Association, in the context of an M&A transaction, it is critical to understand the nature and significance of the target’s vulnerabilities, the potential scope of the damage that may occur (or that already has occurred) in the event of a breach, and the extent and effectiveness of the cyber defences the target business has put in place to protect itself. An appropriate evaluation of these issues could, quite literally, have a major impact on the value the acquirer places on the target company and on the way it structures the deal.

Equally, sellers now must ensure they have the required cyber governance systems, risk procedures and a cyber security cultural posture to maintain their value.

Data management and data governance is not just applicable in some sectors, cyber security covers the whole spectrum of business and government.

Cyber security due diligence review

Compared to other due-diligence activities such as financial due diligence and management assessment, cyber security is a relatively new topic. The overall understanding of technology and its associated risks is now becoming part of the investor community fabric.

Acquirers should not rely solely on lawyers to manage their Due Diligence process. Lawyers tend to focus on privacy-related questions of a company – possibly without the context to how the organisation conducts its business.

Most cyber security issues have their roots in technical issues that manifest themselves through vulnerabilities in networking, access controls, application security and systems store or process data. Adding in suppliers into the picture adds another dimension of potential security issues courtesy of a wider footprint with more people getting access to systems. It is imperative to assess the business in the context in which it operates and clearly articulating the implication of vulnerabilities that have been identified. This is the realm of the specialist security advisor, not an accountant or a lawyer.

Sense of Security uses a Dynamic Risk Assessment (DRA) methodology proving to be the most realistic and accurate indicators of transaction risk. A DRA is different to traditional, workshop centric, Q&A type assessment where risks are evaluated, consequences identified, and treatments proposed. DRA’s are test centric.

This means that we can evaluate both the target’s susceptibility to compromise and their ability to detect, respond, defeat and remain operational through an attack. This is a test of Cyber Resilience and is infinitely more valuable than a spreadsheet risk register or any report that a risk management platform can produce.

What to Expect in a CSDD

It’s imperative that we understand what’s under the bonnet. We employ our specialist technical team to look at the following;

Susceptibility to hacking attacks

Pen Testing – all the variants
Red Team Testing
Phishing

Susceptibility to DoS

DDoS Testing

Configuration Review

Many attacks occur because systems/platform have poor (vendor default) configs.
Cloud platform reviews, application, infra reviews

Data Leakage Review

Determine if there is evidence that data, personnel, accounts and creds are in the internet/dark web

In conjunction with our technical team our Cyber Security Advisory will undertake;

Cyber Health Check

Overarching cyber health metrics

ECSR

Metrics against standards like NIST/ISO

Data Security Model

How are they securing data?

Vulnerability Management

Is there is a Vulnerability Management program

SDLC and DevOps

Have they got appropriate security across what they are doing?

Supply Chain Risks

How are supply chain risks they managed?
Link to Development Security – Open Source Software, Soft comp analysis.

We provide the make-up of the Cyber Due Diligence assessment coverage and the key metrics on which a buyer should make decisions about a target viability or what’s required if you are selling.

Latest announcements

Presentation: Orchestrated Containers and How to Hack Them

Three Sense of Security team members presenting at AusCert 2020

Educate your staff – Reduce your cyber risk

Sense of Security will be represented by three team members at RSA APJ 2020

Full Cyber Security Services

Full Risk and Compliance Services