What keeps the CISO awake at night?

Part 4 – How do I assess the cyber security risks of a company we want to acquire?

Cyberattacks are more sophisticated, frequent, and widespread across all industries than ever before. It should therefore come as no surprise that Private Equity (PE) firms and their portfolio companies are also targets. According to PitchBook, three British Private Equity firms were “tricked into making wire transfers worth a total £1.1 million…following a sustained attack by cybercriminals.” PE firms make attractive targets for attackers for a few reasons. Firstly, they tend to manage lots of capital and hold a large amount of sensitive information, and yet typically have small IT and cyber teams. Portfolio companies’ cyber defences typically lag behind companies in other financial services sectors. Some of the threats faced by PE firms and their portfolio companies include:
  • Malware including ransomware, which is where a malicious attacker encrypts a victim’s files and demands a ransom to restore access to the data, or threaten to release data to the public unless the ransom is paid;
  • Email based attacks including phishing, where a malicious attacker attempts to trick a user into transferring money or giving up their credentials;
  • Supply chain attacks and breaches through third parties, where a weakness in the controls of a third party or within the supply chain, could result in a breach of an organisation’s data; and
  • Insider threat, in which a disgruntled employee may try to cause business disruption or exfiltrate sensitive data. The likelihood of such behaviour increases when personnel are worried about job security.

So what should PE firms do?

As part of the deal lifecycle or M&A process, PE firms should consider cybersecurity by stages:
  • Before the Deal: Buyers should perform a relatively light-touch security or threat assessment on the acquisition target company to gain an understanding of any reported breaches or information that could be reputationally-damaging. This can be done through a dark web analysis and social media analysis of the company and key personnel.
  • Cybersecurity due diligence during the Deal: Perform an independent cybersecurity assessment to understand the maturity level of the target company’s cybersecurity controls and defence posture. Consider a penetration test or red team exercise to test the company’s defences.
  • After the Deal: Deploy remediation to strengthen security controls, and perform regular assessments to continuously monitor the health of the portfolio company’s cybersecurity posture. Implement a threat detection, response and recover capability.  It is important for the Board to keep in mind some vulnerabilities can be quickly fixed, but others may require a longer-term remediation.

What should you assess as part of a cyber due diligence assessment?

To assess a target organisation’s cybersecurity posture, it is worth considering the following questions:
  1. Does the company have well-defined roles and responsibilities for the delivery and management of cybersecurity?
  2. Does the company have a solid understanding of the relevant regulations and legislation relating to cyber which impact it?
  3. Does the company have a cybersecurity awareness and training programme for its staff and workers? In particular, is the Board security-literate?
  4. Does the company know what and where its IT and information assets, are?
  5. How does the company ensure that only authorised people have access to its information resources?
  6. Is the company able to detect and respond to cyber threats?
  7. Is the company able to recover from a cyber incident and restore lost data?
  8. What security management is performed over third-party suppliers and vendors?
We recommend basing the assessment on a well-known industry framework or standard such as NIST. This may be an eye-opening exercise, because the findings are often stark, but using a framework enables completeness of the assessment. How you then prioritise remediation is a strategic question based on risk appetite. It’s never too late to start your cybersecurity journey, no matter where in the deal cycle you may be. Check out our other articles for further insights, such as the one on the Verizon 2021 Data Breach Investigations Report. If you’d like assistance with assessing or strengthening your cybersecurity, then why not get in touch on +44 203 603 4733 or email us at info@324consultancy.com.