No one would buy a company without a thorough look at the books. So, for Aon Risk Services Northeast Director, Cyber Security, M&A Advisory William Shortt, it's surprising that only in the last five years have people started to scrutinize a target's digital records.
"If you are a company and you have a lot of data and it's all being breached — it's out there being traded on the dark web — that could be an impact on valuation," Shortt says. "If you have an active threat — and as we all know a simple search on the dark web and the requisite forums can reveal that there's an imminent attack, which could lead to ransomware, which could lead to business interruption — it's an impact on value."
Still, he says, there have been major deals in recent years that have largely ignored the digital side of a deal. While the issue is still consider nascent, he says in the last 24 months clients who might have done cyber due diligence on a few deals are now doing them programmatically.
Sometimes a lack of spend can make a company vulnerable. Companies spend money on research and development, sales, marketing and hiring people who are going to drive the business, but security is invariably neglected.
"To get your company secure so it's robust and can continue to grow, you've got to spend $400,000 post-close," he says. "That should be included in the balance sheet valuation of said target company."
On the seller's side, they're being asked difficult questions where previously they wouldn't have been.
"You don't go to market with your financial accounts not in order or they're going to say, Well we can't do business like this. Give us a call in a couple of years when you've got a track record," he says. "You need to have a robust cyber security program in place and be able to tell a robust account of what you've been up to. When it comes to mergers and the complexities of integrations, carve-outs, people are more mindful of the additional steps that one needs to take because of the risks of taking an infected organization and merging it with one that has good cyber hygiene."
Ice Miller LLP Partner Reena Bajowala says her cyber due diligence checklist used to be maybe three or four questions about cyber security. That has grown dramatically.
"You're asking for policies, you're asking for underlying documentation and logs, you're asking for, well have you done a pen test? What kind of third-party audits have you been engaged in?" she says. "And specifically around insurance, it's getting deeper and deeper. It's not just check the box there's cyber liability insurance. What does the policy say? Because the cyber insurance market is hardening and there are additional barriers to getting those recoveries."
Guaranteed Rate Chief Information Security Officer Darin Hurd says with cyber diligence, it comes down to trust but verify.
"Long gone are the days where you ask the question, Are you secure, yes or no. They check the box and you move on," Hurd says.
He says the company has a set of questions that is similar to a vendor questionnaire for third party risk. It's aimed at understanding the scope of the acquisition — the assets, the people, the locations, the vendors, the technologies and use — and learning what it is from a technology standpoint, from a security standpoint and risk management standpoint that they're purchasing. Many of the questions are about the technologies used, the processes that are in place. But they're not just asking someone to check a box. They're asking someone to provide evidence.
"And that's where the verification comes into play," he says. "So you say you're doing a pen test. Well, I want to see the pen test findings and I want to see the resolution of those pen test findings and I also want to see that in governance documentation that ideally you should be reviewing with your board of directors or your management committee or whatnot. So, that assessment is pretty broad and it's pretty deep and we look for a lot of documentation to support."
The company also takes it a step further with a mini pen test — looking at their active directory, their infrastructure, how their network is set up, what controls they have in place on their cloud security providers — to understand what those are in detail.
"Because at the end of the day when you're going through the due diligence phase, eventually these assets are going to be yours," he says. "You're going to have to be managing them, so you need to be very clear on what you're purchasing so that if there is any hidden liability you're uncovering it through that process to then raise red flags to say, hey, the security posture maybe isn't what we thought it was and it's going to take some additional investment to get it to where it needs to be to support Guaranteed Rate's risk tolerance."
Shortt, Bajowala and Hurd, along with Chicago Bears' Justin Stahl and Aon Risk Services Che Bhatia, spoke at last year's Chicago Smart Business Dealmakers Conference about the rising importance of cyber diligence in M&A transactions. Hit play on the video to catch the full panel discussion.