Rise of Cyber Risk Assessments in M&A Due Diligence Processes
Mergers and Acquisitions: A Testament to a Quicker Economic Recovery
According to a report released by The Economist in early 2023, Sweden was ranked as the sixth best country for doing business out of 82 countries listed. After the pandemic, high inflation, and increasing public debt squeezed Sweden along with other developed economies, and the war in Ukraine intensified the problem. Despite all the macroeconomic adversities, providing the best conditions for doing business can help recover quicker. The number of mergers and acquisitions (M&As) in Sweden reaching pre-pandemic levels in 2022 can be seen as a testament to this quick recovery prospect (Source: Statista).
The Expanding Scope of M&A Due Diligence
Around 600 M&A transactions took place in Sweden in 2022. As with most M&As around the world, legal, financial, and commercial aspects have been the primary focus of the due diligence processes. However, at Cynode, we have observed that an increasing number of M&A specialised legal and investment firms seek our services to incorporate cyber due diligence into their M&A processes. This is a wise move, as cyber risks can be just as high as, or even greater than, the risks associated with other business functions.
Why Cyber Due Diligence is Difficult?
M&As are risky transactions with widespread potential repercussions if they occur, or fail. Many companies internally and externally can access human and technological resources to go about measuring legal, financial and commercial risks. However, revealing cyber risks is not as straightforward due to factors intrinsic to cyber security domain. Some of these factors are:
- Cyber risk has wide-ranging implications, such as business downtime, financial risk, reputation damage, and regulatory fines. Dealing with these risks requires subject matter experts with in-depth cyber security skill set, and these experts are hard to come by. Talent scarcity is a real problem. Also, hiring a M&A cyber risk team would not scale.
- Many companies do not know their digital assets inventory, critical assets and related vulnerabilities. The lack of this information makes it difficult to quantify cyber risk.
- While due diligence efforts provide a point-in-time snapshot, cyber due diligence should include efforts to uncover breaches that may have occurred in the past.
- Cyber risk requires companies to be continuously agile against ever present and every changing attacks. M&A process and the transition period after completion present different types of challenges. Cyber due diligence service should therefore encompass before, during and after M&A phases.
Cyber Due Diligence (CDD) by Cynode: From Discovery to Resilience, with Speed and Accuracy
Cynode’s CDD offers an end-to-end service, encompassing before, during and after M&A phases, offloading the work for all the relevant stakeholders and without creating overhead.
Cynode Cyber Due Diligence Framework
Before M&A Phase
Focused on discovery, CDD in this first phase includes Cynode’s Cyber Maturity Assessment (CMA) service and tool based assessments. Cynode’s CMA, centred around NIST framework, starts with a preparation phase whereby stakeholders are identified, documents are reviewed, and workshops with stakeholders are planned. In the workshop phase, for each business function and for the organisation as a whole, preparedness for all five NIST-CSF capabilities (identify, protect, detect, respond, recover) are identified in detail. In the final reporting phase, Cynode’s security experts document and report their findings along with their recommendations.
In parallel and/or after the CMA is completed, Cynode experts using a best of breed technology set, look for weaknesses, vulnerabilities, and external exposures the infrastructure may have. Also, target company’s dark web footprint is investigated.
Discovery phase not only reveals the current security posture of the target company but also provide guidelines for the transition.
During M&A Phase
In this phase, Cynode mobilizes its Virtual CISO capabilities to plan the transition and oversee whether relevant cyber security stakeholders adhere to the defined guidelines. Additionally, critical vulnerabilities requiring urgent fixing are identified, along with key cyber security stakeholders.
After M&A Phase
This phase primarily focuses on improving the resilience of the acquired network and ensuring efficient integration of the acquiring and acquired networks. Working with business stakeholders, existing IT/cyber teams, and executives, the vCISO assigned by Cynode realigns the cyber security budget. Projects are rolled out to consolidate end-user hardware, software, internal platforms, and cloud platforms for operational efficiency and cost savings.
Ongoing initiatives overseen by Cynode, such as asset inventory management, cyber awareness programs, and improvements in service delivery for protection, detection, and response, as well as compliance, help to increase overall resilience.
Why Cynode CDD?
- An end-to-end service encompassing before, during, after M&A phases to help sides transact in confidence.
- Crafted to be delivered with speed and accuracy, without disrupting parallel due diligence processes.
- Handled by top industry experts who have worked with a wide range of customers, including small and medium-sized businesses, as well as government organizations and critical national infrastructure.