© 2020 RSM US LLP. All rights reserved.
Cybersecurity and Data Privacy Due Diligence
Enhance deal value through minimized risk
When considering a transaction, most executives understand the value of performing financial, tax and legal due diligence. However, IT security and data privacy can also have a significant, often hidden, impact on a deal. Answering critical questions can reveal the risks and potential costs that insecure systems, immature security processes, inadequate data handling or potential breaches can impose on a transaction.
Buy-side cyber due diligence
When looking to make a strategic purchase, acquire a platform or undertake a carve-out, organizations are finding it necessary to integrate buy-side cybersecurity due diligence into every transaction no matter what the industry. RSM US LLP’s cybersecurity and data privacy due diligence provides a detailed examination of the security of a target, and can help evaluate the types of information found within an organization and the risk profile of the types of data the company is holding.
Cybersecurity and data privacy due diligence can reveal vulnerabilities that could require significant expenditures for the acquiring company, while at the same time uncovering latent risks and possibly mitigating future damage to the acquiring firm’s reputation. Our goal is to protect our clients, rate the risk of the target and provide cost-effective guidance on increasing the cybersecurity posture and maturity of the acquired company post close.
Sell-side cyber due diligence
For an organization that is positioning its company for sale or carve-out, the executive team must understand the importance of cybersecurity and data privacy to buyers. Cybersecurity and data privacy should be addressed months before a transaction takes place. Planning helps to facilitate a much smoother transaction process and can aid in enhancing the overall price of the deal.
Cybersecurity and data privacy due diligence for sellers entails integrating a robust data security framework with appropriate controls, and identifying any systemic gaps or vulnerabilities within that framework that may have been introduced to the company through a previous lack of appropriate security governance and technical oversight. The advanced timeframe gives the sellers lead time to manage identified issues, and implement appropriate governance and risk control programs prior to sale. This reduces the risk of a security incident or data breach occurring during the lifecycle of a deal, and more importantly, reduces the chances that remediation will need to be carried out during negotiations.
RSM’s proven approach
RSM has a proven and repeatable cybersecurity and data privacy due diligence methodology with experience executing hundreds of projects around the world. We recognize that different deals require different levels of due diligence based on each organization’s unique transaction.
Having a clear understanding of a target’s cybersecurity landscape is an essential step to mitigate loss of value caused by vulnerable applications, infrastructure and people. Our three-step approach ensures appropriate insights are used to arrive at sound risk assessments and recommendations so the value of your investment is protected.
Assess and evaluate
We identify the internal and external cyberthreats to the underlying business and review the security environment to understand the risk exposure and vulnerability of an organization. This is an essential step for developing a risk management approach to minimize financial losses from unexpected security incidents.
Quantify and prioritize
After the assessment phase, we perform a “what-if” analysis and calculate the impact of each risk scenario on the organization by leveraging the RSM sponsored annual NetDiligence Cyber Claims Study. The study provides cyber claims data from multiple insurers; this combined pool of claims is large enough that it allows us to ascertain real costs and project future trends. Next, we estimate the likelihood of the each risk scenario based on the security controls implemented in the organization. Combining the impact and likelihood of each risk allows us to prioritize remediation efforts with our clients that will support the comprehensive data security remediation road map.
Develop risk management road map
Once prioritization is done, we then develop a high-level risk management strategy and post-close road map to remediate those risks above the appetite threshold for the investor and deliver transparency around cost and time for resolution.
The RSM advantage
RSM’s cybersecurity and data privacy professionals have experience creating security governance for organizations that do not have personnel with deep internal cybersecurity and data privacy subject matter expertise. Our approach is flexible so that it can be tailored to fit a variety of environments and industries, to help create a pragmatic and actionable risk management road map. We help our clients assess compliance, governance and vulnerabilities within target acquisitions, and ultimately, provide insight on how to best implement an effective risk management program.