My new ebook, entitled “The Cybersecurity Due Diligence Handbook” is now available on Amazon. It is the first and only book of its kind. Below is its Preface:
Show me a company with weak cybersecurity and I will show you a company with lackluster corporate governance, anemic C-suite leadership and head-in-the-sand operations. That is why there is a new, specialized and complex business demand in the corporate world: cybersecurity due diligence.
Cybersecurity due diligence is rapidly becoming a critical factor of the decision-making calculus for a corporation contemplating a merger, acquisition, asset purchase or other business combination; an organization taking on a new vendor, partner or other alliance; or a private equity firm purchasing a new portfolio company.
In every industry, cybersecurity weaknesses represent a significant threat to the operations, reputation and the bottom line of all companies, whatever their size and wherever their location. Poor cybersecurity at any company creates tremendous risk for any suitor who buys that company, merges with that company, partners with that company or hires that company as a vendor. The mantra underlying cybersecurity due diligence concerns is simple: No matter what the terms, when adding, partnering or working with another enterprise, a company is taking on that company’s data troubles and attendant data risks.
While data breach risks may be difficult to quantify, companies contemplating new business combinations and relationships now recognize that cybersecurity has become a risk category in its own right. Consider corporate business combinations and corporate vendor management:
Corporate Business Combinations. For corporate mergers and acquisitions and other changes in control, vigorous cybersecurity due diligence not only better informs deal terms and deal value but can also signal early deal-breakers, saving buyers from unforeseen financial costs, regulatory liabilities, technological integration headaches or even bankruptcy.
Aside from offering additional opportunities to more closely assess the risk of business combinations, cybersecurity due diligence analysis can impact valuation and contracting issues as well. Without a fully developed understanding of a company’s cybersecurity profile, a company cannot:
- Fully appreciate the value of another company, whether acquisition target, partner or vendor;
- Meaningfully identify and execute whatever opportunities exist for strengthening cybersecurity; and
- Thoughtfully draft data-related provisions in the transaction’s or vendor’s agreements, so that where possible, parties can implement post-transaction cybersecurity solutions.
Corporate Vendor Management. For corporate vendor management, cybersecurity due diligence has become similarly essential. Given that cyber-attackers will often traverse a company’s network and gain entry into the networks of its vendors or vice versa, third-party vendors have become one of the more prevalent attack vectors in the most recent cyber-attacks, as cybersecurity shortcomings of third-party vendors have become a cybercriminal’s dream.
Cyber criminals have launched some of the most damaging attacks of the past few years through third parties. In fact, numerous studies have shown that third parties represent 40 percent to 80 percent of the risks associated with data breaches. Three recent examples illustrate the issue: 1) CVS confirmed a data breach of its photo service, which remains offline after hackers allegedly breached PNI Digital – a third-party vendor that manages CVS’s photo website; 2) Cal State University was breached through an outsourced firm that provided online courses for violence prevention; and 3) the Army National Guard reports that the data of 850,000 current members have been exposed due to an improper data transfer to a third party non DoD-accredited data center for a data analysis.
The use of third party vendors has also become a cybersecurity concern for regulators, including the SEC, FINRA and New York State Department of Banking Services.
Thus, for some companies, including financial firms and banking institutions, third-party cyber-risk management is not only a security function, but also a compliance obligation.
The Evolution of Due Diligence. Given that cyber-attacks remain a steady concern across industries, due diligence teams are beginning to recognize information security as a key data point for decision-making. Due diligence teams have begun shifting their focus from the more traditional information technology (IT) categories of inquiry, such as the state of a company’s technological systems and any associated integration issues, to cybersecurity concerns and questions.
Just as in the financial accounting realm, old and stale due diligence models are being modified and enhanced to address the very real, difficult-to-control and ever-increasing enterprise threat of cyber-attacks. Cyber risks are real and costly, and the most forward-thinking companies assess the cyber health and safety of an enterprise before committing to a significant investment or relationship. Likewise, a company or vendor can strengthen its attractiveness as a partner or a takeover target by conducting “self” cybersecurity due diligence to demonstrate the fitness of its enterprise.
Traditionally, due diligence efforts are geared towards identifying the markets, geographies, technologies, synergies and strategic angles of a business relationship. For instance, at the outset of an M&A deal or a new partnership, due diligence teams scrub financial statements, recasting and recalculating them in every conceivable way to determine the viability, sustainability and profitability of a deal. Due diligence teams have now begun to apply the same energy, breadth and intensity to evaluating a company’s cybersecurity.
This Handbook. The stakes are extraordinarily high for everyone involved when contemplating cybersecurity. That is why I wrote The Cybersecurity Due Diligence Handbook. My goal is to present highly technical cybersecurity subject matter in plain English and to help due diligence teams identify and manage cybersecurity risk. I also aim to create an indispensable flight manual that a due diligence team could use to successfully pilot throughout the cybersecurity due diligence process. I want to empower due diligence teams with a thorough and comprehensive reference resource – no matter how complex and dynamic the merger, acquisition, partnership, vendor relationship or other contemplated business combination and collaboration.
Remember the old commercials for American Express cards, where the company touted its memorable tagline, “The American Express Card, Don’t Leave Home Without It.” I hope my handbook will occupy the same position of unqualified necessity for due diligence teams. For a private-equity team considering a new portfolio company; a business contemplating a new partner, strategic alliance or vendor; or a company mulling over a stock or asset purchase of an attractive enterprise, “The Cybersecurity Due Diligence Handbook, Don’t Leave Home Without It.”