“I want to support Sababa in its growth and grow together with it”
March 23, 2022
“Do the right thing in the right way”
March 30, 2022
As cyber-attacks grow in frequency and sophistication, companies in every sector found themselves reeling, and having to mitigate and recover from cyber security incidents. Breaches of confidential and personal data, theft of intellectual property and proprietary business information, as well as ransomware and DDoS attacks, have severely affected organisations’ share price, financial results, brand and reputation, as well as trust among customers.
Concurrently, in an increasingly stringent regulatory environment, organisations are required to disclose breaches to regulators, shareholders and customers, and harsh data protection laws under the General Data Protection Regulation (GDPR) are seeing massive fines inflicted on those who fall foul of the law, as well as them having to face lawsuits from affected parties.
Compounding the problem, the rapid digital transformation that was catapulted ahead by the COVID-19 pandemic, as well as a slew of new technologies that were needed for businesses in every sector to survive, meant that cyber risks affected all entities, not just the ones that are the most digitally advanced. And attackers are aware and are acting on this, with many of the most notorious breaches we witnessed last year targeting critical organisations such as infrastructure and pipeline operators, transport giants, food producers, healthcare and financial services firms, among many others.
Ineffective cyber security and data protection policies
This scramble to stay ahead has resulted in ineffective cyber security and data protection policies, rushed technology implementations without really understanding what the technologies offer, as well as inadequate crisis management planning, all coming under the spotlight in the aftermath of these wide-scale attacks.
And in spite of well-publicised incidents such as the Google, Target, Yahoo and Marriott breaches, each of which should have placed cyber due diligence on the top of any investor’s priority list in its own right, a thorough scrutiny of the governance, processes and controls that are used to secure information assets within organisations, is not the norm within most businesses.
Entities undergoing mergers and acquisitions are in the crosshairs of bad actors
Add to this, that in the past year alone, we have seen ransomware grow more than a hundred fold generally, and 755% in the health care industry according to research by SonicWall. Alarmingly, many of those breaches happened after the announcement of a merger or acquisition. Bear in mind that a “normal” ransomware attack on a large corporate can run up costs into the tens of millions of euros due ransom demands, revenue loss, legal and incident response costs, technology replacement, and soaring cyber insurance premiums. Also, business leaders, CEOs, and boards of directors are now being held personally liable for any negligence or oversight that might have caused a security breach.
There’s a reason why bad actors are targeting entities that are undergoing mergers and acquisitions, and that is because that’s where the money is. Selling a business to a large enterprise or a private equity firm, means it has infinitely more resources to pony up than a smaller, stand-alone entity enjoys. During acquisitions and mergers, there is also a period of transition, with an ingress and egress of owners and management teams, which leaves the business vulnerable to attack.
A thorough cyber due diligence is needed
What is needed, is thorough cyber due diligence because it is as relevant to private equity and infrastructure funds that invest in a variety of other sectors as it is for investors that focus on technology alone.
Investment teams tend to be led by financial minds who are not familiar with IT and cyber security, the and find the notion of cyber due diligence both vague, and hard to grasp. What they don’t realise, is that cyber due diligence is not independent from, or mutually exclusive to, other diligence processes. It has the same basic purpose, which is to thoroughly assess any risks to the investment, make sure the valuation is correct, and flag any areas that need closer inspection, or remediation. In fact, many familiar risk factors are also crucial when it comes to carrying out effective cyber due diligence.
Helping investors to make better informed decisions
Cyber due diligence can give invaluable insight into an organisations exposure to cyber threats, and give investors a clearer picture of the company’s external threat profile. It also helps them understand the potential risks involved with taking it on, as well as the expense and timeline for remediation early on in the investment process. It can also help investors identify possible risk factors including any holes in the company’s existing cyber nets, or where the business is lacking, such as poor disaster recovery, crisis management or business continuity.
Moreover, much like other forms of due diligence, cyber due diligence helps investment leaders make better informed decisions, before shelling out any cash, and gives them insight into current and possible future cyber security hurdles, as well as past security events that could negatively impact the company’s value or brand.
The bottom line? Cyber risks and threats aren’t going anywhere, and this is why is it crucial for investment teams to know exactly what they are getting themselves into, and have a proper grip on the risks and cyber exposures associated with any investment, to protect themselves, and mitigate any brand and regulatory risks.
