The Art of M&A - Cybersecurity
An excerpt from The Art of M&A by Alexandra Reed Lajoux
Editor’s Note: A growing number of M&A professionals are pursuing the Certified M&A Specialist, or CMAS™ credential. To support CMAS® candidates preparing for the CMAS® exam, we are pleased to continue our monthly feature column, CMAS® Corner, by noted author and expert, Alexandra Reed Lajoux. Each month’s edition includes directly relevant content derived from the capstone Fifth Edition of Ms. Lajoux’s industry leading book series, The Art of M&A: A Merger, Acquisition, and Buyout Guide (McGraw Hill, 2019). Each month this column covers one or more likely CMAS® exam questions and help you accelerate completion of this important career credential. In February we covered precedent transaction analysis. This month’s topic is cybersecurity – more important than ever in this highly “virtual” post COVID-19 world.
Q: Cybersecurity is a major risk today. What advice do you have for detecting such risk during a due diligence?
Cybersecurity audits should be a very comprehensive review of the existing digital environment of the target company that includes a wide variety of different platforms and tools.1 IT infrastructure, including firewalls, firewall rules, intrusion detection, and intrusion remediation tools and processes are typical areas to review. This should include both current and past environments, including a review of the intrusions and remediations that occurred, both in the past and in the present. With the trend toward the use of cloud technologies, where key information resides with one or more third parties, the analysis can get complex. Knowledge that the cloud provider has acceptable security is not enough information, since the target company could have chosen to bypass some of the available security and use, for example, just a simple password scheme, which would not be an acceptable secure environment. And, for target companies that support a bring your own device (BYOD) environment for their employees, the analysis should include considerations to properly protect the infrastructure environment from devices that may contain dangerous malware.
The analysis of key application software, including data content such as customer information, financial information, and intellectual property rights (IPR) information is a second key focus area, including what information is digitized and made available online to authorized users. And, with the growing use of applications that span organizations across customers, suppliers, and third-party environments, the review can get complex. With the advent of cloud-based applications, it is essential to understand the use of applications not under IT control, but where business personnel have contracted directly with third-party providers to use applications (often referred to as “shadow IT”).
Third, the review of software tools such as email and document management should be analyzed to thoroughly review the target company’s environment. Included in this area would be online applications and websites, including those that are not current or used anymore but still exist, since they could have embedded vulnerabilities, which could lead to intrusions.
Fourth, a review should include the IT and cybersecurity organization and personnel, for responsibilities and adequacies to properly protect the digital environment of the target company.
Fifth, a review of the use of social media by the target company is also crucial in understanding the cybersecurity environment and possible vulnerabilities.
Sixth, with the growing concern about data privacy, a review of data privacy information is recommended, especially in deals involving multinational targets and target companies that are located in different countries. The European Union’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018, has wide-ranging effects. The law requires—with some exceptions—affirmative opt-in and usage notices for any data collection in the European Union (EU) by any organization with 250 or more employees based anywhere in the world. Vendors to these companies may also be affected by this law. The GDPR affects not only European companies collecting data within the EU, but also large non-European companies with “data subjects” based anywhere in the EU. Since most organizations today engage in digital commerce that includes data collection, and since digital commerce per se has no geographic boundaries, the directive has the potential to affect many businesses.
1.This answer was provided by Bill Blandford, Manager of M&A, Retired, Nokia, and a member of the Board of M&A Standards, as introduced in the preface to this book.
Lajoux, Alexandra Reed with Capital Expert Services. “The Art of M&A, Fifth Edition” A Merger, Acquisition, and Buyout Guide. United States of America: McGraw Hill, 2019. Pp. 460-461. Print.
You can learn more about the book at: https://www.artofma.global/ or for a complete list of references/notes within this article please call the M&A Leadership Council at 214-689-3800.