Stephanie Stone said it best in Forbes magazine when she declared “Every company is a technology company” (Forbes 2017). As technology now underpins every organisation, every organisation is now vulnerable to a cyber-attack. Taking this statement as a fact in this digital age, then during M&A it isn’t just a product that needs assessing from a cyber security point of view, it is the target organisation in its entirety.
We recognise that full cyber security audits and continuous monitoring of organisations aren’t always feasible in the fast-paced and dynamic investment arena. Therefore, CYSIAM recommends a minimum set of questions and activities for ‘red flag’ that achieve maximum impact in a short time-bound work package.
Key questions to answer
- Is the target already breached and / or vulnerable to attack?
- Does the target recognise and mitigate the risk of cyber-attacks?
- Is there a risk of the target incurring legal penalties or prosecution as the result of a cyber-attack?
- Is the target contractually liable for 3rd party cyber security risks?
Minimum recommended approach
In addition to seeking insurance advice we recommend, as a minimum, the following cyber security due diligence for every investment.
- Vulnerability scanning of internal networks, web-facing applications and critical assets.
- Review of policies and evidence of implementation.
- Compliance checks against relevant legal and common framework requirements.
- Review of key customer and supplier contracts and their technical access to the target.
If you are interested in discussing your current approach to cyber security, either within the due diligence process or as part of a current portfolio, then please contact us here.