M&A Cyber Security Due Diligence

Transcription

1 M&A Cyber Security Due Diligence Prepared by: Robert Horton, Ollie Whitehouse & Sherief Hammad

2 Contents Page 1 Introduction 3 2 Technical due diligence goals 3 3 Enabling the business through cyber security due diligence 5 4 Supporting post-close integration activities 6 5 Conclusion 6 6 About NCC Group s M&A Cyber Security Practice 7 7 About the authors 7 02

3 1 Introduction There may not be such a thing as a typical merger or acquisition, however, whatever the size, scope, geography or sector, there are common elements that should be considered when it comes to cyber security. A cyber security due diligence workstream primarily identifies and quantifies the risks and liabilities in support of the deal and any subsequent integration. Technical in nature, it is highly focused and is designed to give stakeholders an understanding of any material exposure requiring action either pre or post-close. A full report and read-out will typically be the core means to capture the distilled information and insights along with at least one interim review. However, it is imperative that a deal team receives timely reports of major issues that could have a significant impact on the deal. As such, cyber security due diligence is often tightly coupled with regular touch points outside of formal reporting. While not the primary goal, the findings from this type of due diligence can and do influence whether a deal should actually proceed and at what price. This paper will cover the risks, opportunities and responsibilities associated with cyber security due diligence during the mergers and aquisition (M&A) process. It highlights key questions that should be asked and provides high-level considerations and recommendations for various business functions involved in the due diligence process. The authors have advised on cyber security in pre and post-close due diligence on more than 100 deals over the last ten years, with transactions ranging in size from a few million through to multi-billions of pounds. The total value of the deals that NCC Group has provided due diligence on during this period is more than 100bn, and of those we have advised on, 98 per cent have completed successfully. 2 Technical due diligence goals Identifying risks and liabilities is the main focus of any due diligence process. These could be: Actual liabilities in terms of compliance with, or adherence to standards or regulations. Liabilities in terms of how divergent a target is from the acquirer s internal processes and standards. Therefore what the potential impact will be on the post-close roadmap to integration. Latent security issues in the product/service which might have a reputational, operational, financial or legal impact. All of the above could have a significant effect on the value of the target and repercussions for the acquiring business. Cyber security-related liabilities often centre around previous security breaches. Understanding breaches, their scale and remediation, along with any punitive actions, both settled and pending, is often an imperative. Due to the nuanced nature of cyber security, understanding the quality of any incident response following a breach and subsequent improvements to security goes beyond simply stated compliance. The identification of cyber-related risks and liabilities through technical due diligence covers a number of areas, some of which are described in the following sections. Compliance risks Within any business, the level and type of cyber security-related compliance will vary depending on regions of operation, target markets, sector and whether any customer and/or staff data is held and processed. Understanding cyber security-related compliance and any associated risk gives the acquirer the confidence that the target is not in contravention of any regulatory regimes or, if it is, that the exceptions are satisfactorily manageable. 03

4 Market risks If a product makes claims, or is otherwise marketed based on its inherent security resilience or security functionality, the acquiring company must understand the possibilities or circumstances that would undermine this position. Failure to adequately assess these risks could result in a devaluation of the brand, product or intellectual property, post-acquisition. Technical assets including intellectual property Technical assets and intellectual property can cover a broad range of things, including proprietary software, hardware and services that are sold to customers and even back-office IT functions and line of business applications. Understanding any inherent security weaknesses, associated risks and likely future levels of investment required should be a key business consideration. This understanding allows the acquirer to be aware of any short-term liabilities while also knowing what level of capital and operational expenditure will be required to bring it in-line with its own risk appetite. The acquirer may also stipulate that certain improvements need to be made prior to deal completion if the risk presented is significant. Operations Operational security due diligence often builds on the understanding gained through the analysis of compliance, technical assets and intellectual property. It does so by assessing people, policies, procedures, physical assets, suppliers and supply chains from a security perspective. Identifying operational security risks and the costs to remediate allows the acquirer to build accurate investment plans as part of its post-close integration strategy. As with technical asset and intellectual property assessments, in certain situations the acquirer may also stipulate that certain improvements need to be made prior to completion. Integration Integrating the newly acquired business into the acquirer s environment can be a complex operation given the technical and operational risks associated with this type of activity. Understanding this risk and complexity allows for informed planning and investment decisions. The result is that the integration will have tactical or strategic elements that minimise or bring in-line key identified risks within appropriate timeframes. 04

5 3 Enabling the business through cyber security due diligence Cyber security due diligence can help support decisions at all stages of a deal by answering key questions and discovering facts to help businesses make informed decisions. Key questions What is known about security? During the process, new information and context around security and associated risks will be uncovered. Some will be technical, others will be governance or risk-related, but all will have the potential to provide insight and a sense as to how the target treats security, its level of understanding and any future challenges. What are the risks? One of the specific outputs will be identified risks that cover the areas previously discussed. These risks will be presented in the context of the specific deal and often with quantification as to their potential impact. How does the target compare? Often when acquiring a company the acquirer wants to understand if the target is competitive. One of the indicators is how the target compares with its peers, whether in sector, geography or size around security. This assessment allows the acquirer to understand where the target sits in comparison to its competitors and market expectations. What are the future capital and operational requirements? One of the biggest considerations is how much money will need to be invested into any newly acquired entity and what form that will take. Providing indicative costings or effort estimations allows the acquirer to factor this into its post-close roadmap and adjust its business case for the acquisition accordingly. What are the key security considerations for integration planning? Providing insight into what needs to be done within the first 30, 90 and 180 days helps ensure execution is swift and comprehensive. This in turn ensures risk is appropriately managed and return of investment maximised. 05

6 4 Supporting post-close integration activities Once a deal has successfully closed, further value is extracted from the due diligence process as a clear understanding of priorities and risks will have been captured. This insight and knowledge is often supported through a mixture of short and medium term strategic and tactical activities to minimise exposure. Examples of such activities will include: Security Transformation: Strategic programmes of work to transform and/or integrate the acquisition. Risk Management & Governance: Expertise in managing risk in the short to medium term while satisfying compliance issues. Technical Security Consulting: Deep technical expertise in all elements of technical cyber security. Cyber Defence Operations: Ensuring the newly acquired entity is able to detect and respond to cyber security incidents. These streams help to protect the investment in a cost and risk appropriate manner. 5 Conclusion In today s world, most businesses have a significant dependency on technology. As such, the risk posed by poor cyber security to acquirers and investors is ever present. As with existing legal, financial and intellectual property due diligence, organisations need to consider security as part of both their pre and post-close activities. Cyber due diligence is vital for protecting your investment. Having a better understanding of the potential risks and pitfalls from a technical and cyber perspective will help acquirers to get the most from their investment. 06

7 6 About NCC Group s M&A Cyber Security Practice NCC Group s M&A Cyber Security Practice operates globally providing a suite of services to acquirers, law firms and other partners in pre and post-close situations. With a unique blend of M&A process understanding and business driver awareness, coupled with extensive risk and technical security knowledge, NCC Group s M&A Cyber Security Practice provides a unique capability and understanding around cyber security risk, supporting clients including end-buyers, private equity, investors and law firms. 7 About the authors Robert Horton Managing Director robert.horton@nccgroup.trust Robert is the Managing Director for Security Consulting in Europe and non-us territories. He was one of the founders of Mergers and Acquisition (M&A) Cyber Security Practice at NCC Group. Ollie Whitehouse Technical Director ollie.whitehouse@nccgroup.trust Ollie is the Technical Director for NCC Group His experience in M&A due diligence includes leading the engagements on the largest deals ever conducted at NCC Group. Today he is co-principal of the M&A Cyber Security Practice. Sherief Hammad Operations Director sherief.hammad@nccgroup.trust Sherief is the Operations Director for Security Consulting in the UK, Canada & Australia. He is co-principal of the M&A Cyber Security Practice at NCC Group. 07

8 About NCC Group NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.