Why Cyber Due Diligence is more than an IT problem

Author: Gary Hibberd

Date: 23rd July 2020

Last year I bought a car for our daughter. As it was her first car, we decided to go for a used car, nothing too flashy but something that would be ideal for her first. 

However, open disclosure; I don’t know much about cars. And when I say ‘much’, I mean nothing. I know that they (generally) have a wheel at each corner and one you use to steer. So I asked a friend to help me out with the purchase. After all, a car isn’t a cheap asset, and I was about to put someone I love dearly into it. Should anything go wrong I would only have myself to blame for not doing the right kinds of checks.

My friend is a mechanic, so he gave the car a good looking over; He checked the engine, the tyres, the bodywork, and crawled beneath the car to see if was all safe and secure. Prior to this, my only checks were to go for a test drive and make sure the fuel consumption was something I could accept.

On conclusion of his checks, he was satisfied it was roadworthy. Everyone was happy until we looked a little deeper.

Car Due Diligence

Being in Cybersecurity, I am naturally never only look at the physical aspects of what I’m buying. I want to know the history. Are there any skeletons in the cupboard?

On further checks, I discovered that the car had been written off in an accident almost two years ago. I also discovered that the car had outstanding loans upon it.

Needless to say, we didn’t go ahead with the purchase, and the reputation of second-hand car dealers was further established.

The need for better Due Diligence

Some of you reading this maybe wondering what this has to do with the Private Equity and Mergers & Acquisitions sector, but I hope not.  You would hope that this sector has long understood the importance of conducting thorough Due Diligence exercises on their target companies. But according to a survey conducted by Deloitte in 2019, not all is well in this world.

In their report “State of the Deal”, Delloitte stated (among other things), that while corporate and private equity companies were clearly focused heavily on making deals work, a sizeable chunk fall short of achieving the results initially envisioned.

The report goes on to recognise the need for more effective due diligence, integration and focus on ensuring revenue projections materialise. Clearly, in our highly digitised, and data-centric universe the importance and reliance placed on technology has never been higher, so this is certainly one factor which can have a material impact on the ability of a company to achieve its expected (and predicted) revenue.

This change is known as a ‘Material Adverse Change’, which effectively means any change in the assets, liabilities, financial stability, or assets of the target operation. But how do you find out these material changes if you’re only looking in one direction?

Cyber Due Diligence

Acquirers, of course, conduct a whole host of Due Diligence when purchasing a company. The sector is highly skilled experienced, and thankfully many do this without issue or concern. But in truth, and with this new world in which we live, is the sector doing enough to satisfy itself that changes in the technological landscape aren’t leaving them exposed?

It has only been in recent years that IT companies, involved in the M&A sector, have begun looking at Cybersecurity. Historically IT Due Diligence will give a detailed understanding of the technology landscape, and a view of the general ‘health’ of the technical eco-system in place. It will inform the buyer of any need for major investment in technology, which may materially affect the value of the proposition.

Just as my friend looked at the mechanics of the car I was considering buying; Research and investigation only go so far.

Cyber Due Diligence will go beyond the technical and physical aspects of the IT infrastructure and reveal what security practices and processes are in place and establish how effective they are. There is a big difference between IT Due Diligence and Cyber Due Diligence.  But there is more to come. Cyber Due Diligence has evolved further, and today, it’s not only important to understand how we are protecting Data but also how it is being used.

Not all Cyber Due Diligence are equal

Within Cybefort, we have longed believed and understood that there are two sides to protecting Data; It needs to be Secure, and it needs to be respected. This means that the way a company uses Data (or miss-uses it), can have a material impact upon the value of that organisation. 

Of course, we know that it’s essential to identify if the company suffered a Data breach several months ago, but we also know how important it is to understand how they dealt with that breach. Merely stating that they invested heavily in technical security controls following the breach, might satisfy a standard Cyber Due Diligence. But we believe the way they dealt with customers and their own staff is more telling of their attitudes towards security and privacy.

Conclusion

Of course, no blog on this sector would be complete without mentioning the Marriott Hotel Data Breach, which occurred in 2018. If you’re unfamiliar with this story, then it would be worth you reviewing and Googling it. It is now the ‘Grimm Tale’, which every Cybersecurity practitioner talks about in relation to this sector and Cybersecurity. Marriott is the ‘poster child’ for how NOT to protect Data, and how NOT to carry out Due Diligence. Their focus was on IT Due Diligence, not Cyber Due Diligence.

This is why Cyber Due Diligence is about more than IT. It’s often said in the Cybersecurity industry that Cybersecurity is not an IT risk; it is a business risk.

If you are in the M&A sector and you’re still relying on your IT Due Diligence to protect your most valuable asset, then I sincerely hope you pay closer attention if you ever buy a second-hand car.