Due diligence and cyber risk: what impacts on audit procedures?
by Carole Hong Tran
Although many companies have experienced a cyber attack, the issue of cyber security is still far too often overlooked when it comes to mergers and acquisitions. However, the perception of this issue is changing. According to a recent study, 90% of respondents believe that a proven cyberattack could lead to a reduction in the acquisition price of the target, and 83% believe that an attack occurring during the due diligence phase could lead to the total abandonment of a deal.
Increasingly aware of this risk, companies are gradually integrating cyber risk into their merger strategies. The objective is simple – to understand whether the merger of the two companies, and therefore their information systems, increases the risk of information leakage, attack, or non-compliance.
There is a major difference between a traditional due diligence and its cyber security counterpart. While accounting and legal rules are clear, and shared internationally, there is still no equivalent in the world of cyber security. Standards are multiplying (by type of system, by industry, etc), and serve as best practices for companies in how to properly implement their own cyber security approaches.
What is the approach for cyber security due diligence?
Several approaches are possible:
- A questionnaire-based approach, usually with multiple choice answers to a series of questions. Beyond the lack of depth of such an approach, its outcome depends heavily on who answers the questionnaire and how it is used – unfortunately, often it is barely read.
- An interview approach, consisting of assessing the situation in relation to a known and adapted reference system, during exchanges with the security managers of the company in question. The limitation of this approach is that it is based only on statements and provides no evidence of what is being claimed. Conducted by an expert experienced in the exercise, it still allows you to quickly have a general vision of the type of safety practices implemented.
- An analysis by automated tools, which will discover information systems and try to identify pre-existing flaws. If this method is not infallible, it makes it possible to quickly obtain an initial assessment of the level of maturity of the structure.
- A "complete" approach, consisting of both a theoretical and organisational analysis of security, but also tests to obtain a vision as close as possible to reality. This approach, ideal in absolute terms, is often used in the case of start-up acquisitions, but almost never in the context of larger deals, for reasons of both cost and lack of time.
Whatever the approach chosen, it can be punctuated in two stages: (1) an initial analysis to provide knowledge and understanding of security risks, thus supporting reflection of the go/no go of the deal; and (2) a more in-depth analysis to assess risks more precisely and decide on the implementation of corrective actions.