Getting Started - Cybersecurity is a major risk today. What advice do you have for detecting such risk during a due diligence?

Cybersecurity audits should be a very comprehensive review of the existing digital environment of the target company that includes a wide variety of different platforms and tools. IT infrastructure, including firewalls, firewall rules, intrusion detection, and intrusion remediation tools and processes are typical areas to review. This should include both current and past environments, including a review of the intrusions and remediations that occurred, both in the past and in the present. Given the nearly universal use of cloud technologies to store corporate data, where key information the potential for data vulnerability is high. resides with one or more third parties, the analysis can get complex. In cloud-based applications, applications are not under direct IT control but are controlled by one or more outside providers (often referred to as “shadow IT”). Knowledge that the cloud provider has acceptable security does not provide an acceptable level of assurance, since the target company could have chosen to bypass some of the available security and use, for example, just a simple password scheme, which would not be an acceptably secure environment. And, for target companies that support a bring your own device (BYOD) environment for their employees, the analysis should include considerations to properly protect the infrastructure environment from devices that may contain dangerous malware.

The analysis of key application software, including data content such as customer information, financial information, and intellectual property rights (IPR) information is a second key focus area, including what information is digitized and made available online to authorized users. And, with the growing use of applications that span organizations across customers, suppliers, and third-party environments, the review can get complex.

Third, the cybersecurity review should analyze  software tools such as email and document management as well as online applications and websites, including those that are not current or used anymore but still exist, since they could have embedded vulnerabilities, which could lead to intrusions.

Fourth, a cybersecurity review should include the IT and cybersecurity organization and personnel, for responsibilities and adequacies to properly protect the digital environment of the target company.

Fifth, a review of the use of social media by the target company is also crucial in understanding the cybersecurity environment and possible vulnerabilities.

Sixth, with the growing concern about data privacy, a review of data privacy information is recommended, especially in deals involving multinational targets and target companies that are located in different countries. The European Union’s General Data Protection Regulation (GDPR), which went into effect May 25, 2018, has wide-ranging effects. The law requires—with some exceptions—affirmative opt-in and usage notices for any data collection in the European Union (EU) by any organization with 250 or more employees based anywhere in the world. Vendors to these companies may also be affected by this law. The GDPR affects not only European companies collecting data within the EU, but also large non-European companies with “data subjects” based anywhere in the EU. Since most organizations today engage in digital commerce that includes data collection, and since digital commerce per se has no geographic boundaries, the directive has the potential to affect many businesses.  The heavy fines paid by Meta in recent years provide a good example.