ISSUE 4 | 2021
04
CYBER DD PRINCIPLES Some of the key principles to follow in a cyber due diligence process are as follows: • Alignment to business goals and expectations: businesses usually look to identify significant vulnerabilities and threats that could lead to unexpected expenditures in the future, and we need to focus on risks that could have significant business impacts • Defining and prioritising scope: in most cases the cyber due diligence process includes an assessment of the technical control environment and often uses technical tools to reach some certainty that there are no dormant threats in the network. Without defined technical scopes and prioritising these tests can easily misalign with the business goals • Assigning the appropriate team: from a broader perspective, the cyber risk due diligence team should include people from the both the business and security, IT, and networking functions • Ensuring external professional support: in most cases identifying and 'flushing out' dormant threats inside a network requires non-routine professional IR (internal response) and forensic capabilities that most companies do not have so this means relying on dedicated external professionals • Prioritise Cyber DD: despite the increasing importance of cyber due diligence, it is often the last part of the process to be carried out. This puts it under pressure to deliver results quickly as the business is anxious to finalise the M&A deal. The cyber due diligence process needs to be given the necessary time to deliver quality and effective results • Having a high-level understanding of the security requirements in the integration process: due diligence processes usually create a remediation/work plan with tasks planned to be executed prior to signing the transaction and some planned for the integration process post-deal. It is essential to evaluate the complexity of these tasks against the cyber maturity of both companies and get a sense of the effort, cost and other consequences affecting the integration process. Following a cyber risk management methodology can simplify the M&A due diligence process and create valuable results. Approaching the due diligence process from a NIST cybersecurity framework perspective for example, will be both easy to execute and result in having a meaningful way to report back the results to the business for them to understand and evaluate. In addition, integrating the most common cyber threats into the evaluation process will improve the relevancy of the results and direct the business specifically to the areas that can have the biggest impacts on the business. Combining the NIST cybersecurity framework with current threat analysis will produce some of the key topics to concentrate on, including: prevention, detection & response, incident and crisis management and third-party risk management; and finally governance and compliance, which can have significant repercussions, especially where the regulatory landscape expands or because of the M&A activity.
OPHIR ZILBIGER BDO GLOBAL CYBERSECURITY LEADER
ophirz@bdo.co.il
Made with FlippingBook HTML5