© 2019 RSM US LLP. All rights reserved.
Cybersecurity and Data Privacy Due Diligence
Enhance deal value through minimized risk
When considering a transaction, most executives understand the value of performing financial, tax and legal due diligence. However, IT security and data privacy can also have a significant, often hidden, impact on a deal. Answering critical questions can reveal the risks and potential costs that insecure systems, immature security processes, inadequate data handling or potential breaches can impose on a transaction.
RSM'S Colin Zarbough talks with ACG at their 2019 InterGrowth Conference regarding the increasing importance of cybersecurity and data privacy due diligence.
Buy-side cybersecurity due diligence
When looking to make a strategic purchase, acquire a platform or undertake a carve-out, organizations are finding it necessary to integrate buy-side cybersecurity due diligence into every transaction no matter what the industry. RSM’s cybersecurity and data privacy due diligence provides a detailed examination of the security of a target, and can help evaluate the types of information found within an organization and the risk profile of the types of data the company is holding.
Cybersecurity and data privacy due diligence can reveal vulnerabilities that could require significant expenditures for the acquiring company, while at the same time uncovering latent risks and mitigating future damage to the acquiring firms’ reputation. Our goal is to protect our clients, rate the risk of the target and provide cost-effective guidance on increasing the cybersecurity posture and maturity of the acquired company post close.
Sell-side cybersecurity due diligence
For an organization that is positioning its company for sale or carve-out, the executive team must understand the importance of cybersecurity and data privacy to buyers. Cybersecurity and data privacy should be addressed months before a transaction takes place. Planning helps to facilitate a much smoother transaction process and can aid in enhancing the overall price of the deal.
Cybersecurity and data privacy due diligence for sellers entails integrating a robust data security framework with appropriate controls, and identifying any systemic gaps or vulnerabilities within that framework that may have been introduced to the company through a lack of appropriate security governance and technical oversight. The advanced timeframe gives the sellers lead time to manage identified issues, and implement appropriate governance and risk control programs prior to sale. This reduces the risk of a security incident or data breach occurring during the lifecycle of a deal, and more importantly, reduces the chances that remediation will need to be carried out during negotiations.
RSM’s proven approach
RSM has a proven and repeatable cybersecurity and data privacy due diligence methodology with experience executing hundreds of projects around the world. We recognize that different deals require different levels of due diligence based on an organization’s unique transaction.
Below are the standard assessments we provide to reveal vulnerabilities that could require significant expenditures for an acquiring company.
Red flag assessment
- A detailed review of an organization’s security program and regulatory and industry compliance
- Meant to identify any indications that an organization is noncompliant or if further reviews are necessary
- Focuses on potential large investments necessary to correct evident issues
Security governance assessment
- A detailed review of the target’s overall management of its security program, typically mapped against NIST 800 series, COBIT or SANS top 20 controls
- Outcome is a detailed gap analysis comparing the maturity and management of the security program, including ongoing risk management and tracking metrics, against specified framework as well as remediation recommendations and potential costs
- A detailed review of the target’s compliance with specific regulations or standards (examples include: Payment Card Industry (PCI), National Institute of Standards and Technology (NIST), International Organization for Standardization (ISO), NERC/Customer Identification Program (CIP), HIPAA/HITECH/HITRUST, Federal Risk and Authorization Management Program (FedRAMP) and various privacy regulations)
- Provides a detailed gap analysis comparing the organization’s current state against the specified framework, including remediation recommendations and potential costs
Basic or advanced security testing
- An analysis of a target’s environment used to discover signs of systemic technical vulnerabilities
- Basic reviews meant to discover systemic issues, while advanced reviews focus on complex vulnerabilities difficult to detect but likely avenues for advanced attackers
- Meant to replicate real-world attacks and threat scenarios
- Identifies the organization’s ability to prevent basic attacks and respond quickly to advanced attacks
Note: This testing is required to meet several regulations and industry standards
- Meant for organizations that have significant quantities of sensitive data or extensive interactions with individual customers
- This is a deep dive into the legally required privacy requirements dictated by a mix of state, federal and international requirements
- The enhanced version covers applicable state, federal or international legal standards; this includes requirements under GDPR for data collection of any individual in the EU or European Economic Area (EEA), as well as the California Consumer Privacy Act (CCPA)
Cyberthreat intelligence assessment
- Manual and automated searches of deep web and darknet markets, forums and communities
- Attempts to determine if the target is currently, or has previously been, breached
- Focuses on identifying if target organization credentials, data, intellectual property (IP), etc. have been lost
- Identifies if the value of the target will be affected by lost IP, fines, lawsuits, etc.
The RSM advantage
RSM’s cybersecurity and data privacy professionals have experience creating security governance for organizations that do not have personnel with deep internal cybersecurity and data privacy subject matter expertise. Our approach is flexible so that it can be tailored to fit a variety of environments and industries, to help create a pragmatic and actionable risk management road map. We provide our clients with effective services and solutions to help assess compliance, governance and vulnerabilities within target acquisitions, and ultimately, provide true subject matter expertise on how to best implement an effective risk management program.