Cyber Due Diligence: Benefits and Best Practices

Whilst some of the benefits of cybersecurity due diligence may be obvious, others are less straightforward:

Cyber due diligence can be carried out at three key stages in the deal lifecycle.

Pre-acquisition: Illuminating hidden vulnerabilities

Traditionally, pre-acquisition due diligence zeroes in on financials, operations, legal, and, more commonly now, technology and IT.

However, for high-value and complex deals, when dealing with highly digitised businesses or businesses that inherently are under increased cyber threat, such as those that process a large amount of personally identifiable information (PII), more robust cybersecurity due diligence should be intertwined into traditional due diligence processes.

In a recent engagement, a client was concerned by the storage of credit card information by an acquisition target and associated Payment Card Industry Data Security Standard (PCI DSS) compliance risk.

On carrying out cybersecurity due diligence, more deep-seated problems came to light in addition to the PCI DSS risk. Legacy systems, believed to be reliable, revealed several significant security vulnerabilities. 

More alarmingly, sensitive guest (PII) lay exposed, vulnerable to potential breaches. These insights weren't mere data points. They were powerful negotiation tools, ultimately compelling the target company to address and rectify these issues.

By integrating cybersecurity due diligence into pre-acquisition checks, not only did the deal proceed, but it did so with significantly reduced financial and reputational cyber risks.

Post-acquisition: Addressing issues to align systems

Once the acquisition is complete, practical work begins to address identified issues. The insights gained from cyber due diligence play a defining role in shaping the company's technological trajectory.

This phase plans business and technology strategies for the next three to five years, rooted in cybersecurity best practices.

Pre-divestment: Preparing for deals to strengthen positions

Pre-divestment cyber security due diligence can be key to ensuring that cyber issues do not delay a deal or, worse, impact disposal valuation.

Recently Nicolson Bray was engaged by a SaaS provider in the education sector for a pre-divestment security review.  On inspection, their software development processes were robust, and their product secure. However several significant issues were discovered in the infrastructure the product was hosted on, again putting highly sensitive PII at risk. 

Having gained a detailed understanding of the business and technology architecture, we were able to recommend key cyber security improvements, which they implemented prior to beginning the disposal process. 

The outcome was a smooth divestment six months later.

Whether it's pre-acquisition, post-acquisition, or on the eve of divestment, timely and comprehensive cyber security scrutiny can prevent disruption and preserve deal value.

The following steps describe the cyber due diligence process.

1: Business-level risk identification

Initially, it is key to identify business-level risks related to the industry sector and relevant regulations, geography, sensitive R&D and business operations.

For instance, where a company’s intellectual property is core to its value, relevant protections should be implemented.

2: Cybersecurity governance evaluation

To understand if a business manages its cyber or information security risk properly, it is important to understand the governance structures that have been put in place.

How robust is the approach? What reporting is provided to senior management and the board?  Are information security responsibilities defined and understood at all levels in the business?

Lack of transparency and consistency here can lead to unknown information security risks.

3: Third-party and supplier evaluation

Recent high-profile supply chain attacks such as Solar Winds have highlighted that potential risk is not solely held within internal business operations.

Understanding the cybersecurity risk stemming from vendors, suppliers, and business partners is now crucial.

Reviewing a business’s key third-party relationships forms a core part of cyber security due diligence.

4: Technical security review

Every company's cyber framework has its strengths and weaknesses. Pinpointing control gaps, outdated systems, and other vulnerabilities clearly identify where remediation is required.

By reviewing technical controls, it is possible to understand the technical improvements that will be required and their associated costs.

5: Technical testing

Going further than an architectural review, high-risk areas can benefit from in-depth technical testing. This can reveal unknown coding and configuration errors, which could lead to a data breach.

For instance, in the case of SaaS providers, it can be beneficial to carry out a penetration test on the core product to identify vulnerabilities and weaknesses.

6: Final analysis

The final analysis brings together the output from the preceding steps and comprehensively describes the target company's cyber risk landscape.  The key is a prioritised list of the actions needed to bolster its defences and mitigate cyber risks.

Nicolson Bray’s tailored cyber health check penetrates business and technical aspects to provide deal teams with first-class insight into target company and PortCo cyber threats.

Focusing on analysis-driven real-world business risks, our due diligence assessments are instrumental in shaping pre- and post-acquisition cyber strategy and give concrete and pragmatic advice.

We deliver to tight deadlines, suiting deal timelines without sacrificing precision and detail.

When it comes to translating complex cyber findings, our reporting is crystalline, and we’ll work with you to gauge the practical next steps.

For more information about our expertise and offerings, learn more here.

FAQ