In recent decades, portfolio companies have driven incredible value creation for deal teams through the use of technology. Increasingly it can seem anachronistic to even talk about “technology companies”. From pharmaceuticals through farming to financial services, every company is looking at how they can leverage technology to maximise value.
However, in an age of rising cyber threats, “leveraging technology” can be roughly paraphrased to “increasing cyber risk”. There are already high-profile examples of what can happen when these risks are not addressed. For example, in their 2016 purchase of Starwood hotels, Marriott did not identify a 2014 data breach that ultimately cost the firm hundreds of millions of dollars in fines, fees and reputational damage when it was revealed in 2018.
In an age of rising cyber threats, “leveraging technology” can be roughly paraphrased to “increasing cyber risk”.
Unsurprisingly, deal teams and general partners everywhere are looking for ways to minimise these risks in their transactions. In many cases, they have reached for cyber due diligence – a critical review of an investment target’s cyber security practices, culture and resilience – to achieve this.
When done well, cyber due diligence gives a clearer view of the cyber risks present in a target, the potential costs of managing those risks, and an opportunity to factor those into pricing and valuation. However, it is not a straightforward silver bullet. It is an assessment of complex risks which is often conducted with limited information under critical time pressure. The wrong approach can leave investors no more informed about the investment target’s risk profile and cyber security costs, as well as having wasted vital days in their deal timeline.
THE VALUE OF CYBER DUE DILIGENCE
Drawing on S-RM’s experience in cyber due diligence, in this article we discuss several critical aspects of the process and how to get the most out of it.
Integrate cyber due diligence into the deal timeline
The degree of cyber due diligence that can be achieved will largely depend on when it is conducted in the deal timeline. If it is conducted pre-exclusivity, this can limit the exercise to assessments done without the involvement of the target company. If conducted during exclusivity, then you are likely to have access to a greater depth of information from which to draw more confident assessments of the state of a target’s security.
External technical assessments, threat intelligence, data privacy reviews and personnel reviews can offer valuable insights and be accomplished pre-exclusivity.
There is, of course, often great value in pre-exclusivity diligence. External technical assessments, threat intelligence, data privacy reviews and personnel reviews can all offer valuable insights and can be accomplished pre-exclusivity. The exercise also enables any identified issues to be addressed earlier. For example, it is possible to detect a range of vulnerabilities in public-facing infrastructure, including insecure network settings, insecure DNS configurations and poor endpoint security which indicate deficient cyber security practices. Similarly, analysing a target’s public privacy policies and documentation with reference to applicable data privacy laws can identify any potential compliance shortfalls.
However, it is important to understand the limits of pre-exclusivity due diligence. It is only post-exclusivity that deal teams usually gain access to the target company’s people and systems from which to draw detailed conclusions about the effectiveness of their security controls, culture and capability to respond to cyber threats.
On a broader level, cyber due diligence often has to be accomplished within tight deal timelines which limit the scope of the information that can be collected. In these circumstances it is critical that the teams conducting the cyber due diligence have experience working with deal teams and can present a realistic proposal which will add value within tight time constraints.
Match expertise to the target in question
Cyber threats are varied and complex, as are target companies’ systems and the markets they operate in. Due diligence on a standalone Californian healthcare company will focus on different risks than an Indian financial services group undergoing a cloud infrastructure transformation. Depending on the expertise of their in-house team, investors may need to bring in cyber due diligence specialists with experience in the relevant area of cyber security to get the most value.
Clearly, the more in-house cyber security expertise investors have, the better; whether to conduct aspects of due diligence internally or liaise with external partners from a more informed position. More teams are increasingly adding this skillset to bolster their deal-making. We have also seen examples of more technical deal teams (for example those focussing on enterprise software deals or indeed cyber security) aiding colleagues with less cyber experience on specific transactions.
Consider verifying information with testing of controls
Key to most cyber due diligence efforts will be asking the target company a series of questions about the state of their cyber security. Whilst this can be a definitive exercise either way – with respondents demonstrating exemplary best practice or a heap of red flags – it relies on trusting the word of the respondent, and in our experience it can still lead to grey areas where answers are incomplete or unsatisfactory.
In these circumstances, incorporating some cyber security testing into due diligence can be very useful to verify this information – particularly in critical areas. For example, in a recent diligence on a software company whose business depended on a web application, we conducted a penetration test on that application which identified several vulnerabilities which hadn’t been revealed in discussions with their security team. This didn’t prevent the transaction from proceeding. On the contrary, it gave the deal team clarity over important steps to take post-transaction, and we continue to work with that team and their new portfolio company on a roadmap for improvements.
This type of exercise will increase the cost and timeframe of the diligence; however, in certain circumstances, it may be warranted to provide the necessary clarity on a target’s security for a deal to proceed.
Determine relevant metrics to inform decisions
Given the complexities associated with assessing cyber risk, it is important that due diligence provides a deal team with actionable assessments on which to base investment decisions. Often the most useful information comes in the form of risk ratings relative to peers in the target company’s sector, or measurements of the potential cost of a breach or of remediating critical vulnerabilities. Investors may also want to ensure that the target is assessed against a recognised body of controls like the CIS Top 20 or aligned to a framework such as the National Institute of Standards and Technology Cybersecurity Framework.
In this regard, it is important to establish early which metrics are going to be relevant to decision-making so the diligence process can be designed to capture the pertinent information.
It is important that cyber due diligence provides a deal team with actionable assessments on which to base investment decisions.
Reports should be clear about risks, costs, and timeframes
Even high-quality cyber security due diligence can be undermined when the its output – report outlining findings and recommendations – is not targeted properly. Achieving this means translating technical and administrative controls into cyber risks and projects, which can in turn be easily digested, and therefore actioned, by deal teams.
This translation is most successful when risks are presented with an explanation of how they contribute to the overall risk level of the target, as well as how much cost they would drive during a potential incident. Furthermore, proposed projects to address these risks should be presented alongside cost estimates for completion, the likely timeframe and level of effort involved, and what degree the target’s overall risk can be reduced by completing them. By framing reports in this fashion, the cyber due diligence findings will fit intuitively into the deal team’s decision-making and valuation process. Deal teams will be able to weigh risk reduction against the cost and time for completion, resulting in a prioritised roadmap based on a coherent methodology.