The Cybersecurity Due Diligence Handbook: A Plain English Guide for Corporations Contemplating Mergers, Acquisitions, Partnerships, Vendors or Other Strategic Alliances and Relationships
()
About this ebook
Related to The Cybersecurity Due Diligence Handbook
Related ebooks
Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response Rating: 4 out of 5 stars4/5IT Governance Critical Issues Series: Cyber Security Rating: 0 out of 5 stars0 ratingsCyber Security Awareness for Corporate Directors and Board Members Rating: 1 out of 5 stars1/5The Information Systems Security Officer's Guide: Establishing and Managing a Cyber Security Program Rating: 0 out of 5 stars0 ratingsCyber Essentials: A Pocket Guide Rating: 5 out of 5 stars5/5Data Breach Preparation and Response: Breaches are Certain, Impact is Not Rating: 0 out of 5 stars0 ratingsBusiness Practical Security Rating: 0 out of 5 stars0 ratingsBuilding an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5Building a Practical Information Security Program Rating: 5 out of 5 stars5/5Certified Cybersecurity Compliance Professional Rating: 5 out of 5 stars5/5Cyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk Rating: 0 out of 5 stars0 ratingsEasy Steps to Managing Cybersecurity Rating: 0 out of 5 stars0 ratingsThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks Rating: 0 out of 5 stars0 ratingsBecoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders Rating: 5 out of 5 stars5/5Cyber Security: Essential principles to secure your organisation Rating: 0 out of 5 stars0 ratingsManaging Cybersecurity Risk: Book 3 Rating: 0 out of 5 stars0 ratingsBuilding an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats Rating: 0 out of 5 stars0 ratingsCorporate Security Management: Challenges, Risks, and Strategies Rating: 5 out of 5 stars5/5The Cybersecurity Maturity Model Certification (CMMC) – A pocket guide Rating: 0 out of 5 stars0 ratingsUse of Cyber Threat Intelligence in Security Operation Center Rating: 0 out of 5 stars0 ratingsInformation Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratings8 Steps to Better Security: A Simple Cyber Resilience Guide for Business Rating: 0 out of 5 stars0 ratingsDesigning and Building Security Operations Center Rating: 3 out of 5 stars3/5Cyber Security Awareness for CEOs and Management Rating: 2 out of 5 stars2/5Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit Rating: 0 out of 5 stars0 ratingsPCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance Rating: 5 out of 5 stars5/5The Case for ISO27001:2013 Rating: 1 out of 5 stars1/5PCI DSS: A Pocket Guide, fourth edition Rating: 0 out of 5 stars0 ratingsSecurity Leader Insights for Risk Management: Lessons and Strategies from Leading Security Professionals Rating: 0 out of 5 stars0 ratings
Business For You
The Intelligent Investor, Rev. Ed: The Definitive Book on Value Investing Rating: 4 out of 5 stars4/5Emotional Intelligence: Exploring the Most Powerful Intelligence Ever Discovered Rating: 5 out of 5 stars5/5The Richest Man in Babylon: The most inspiring book on wealth ever written Rating: 5 out of 5 stars5/5Law of Connection: Lesson 10 from The 21 Irrefutable Laws of Leadership Rating: 4 out of 5 stars4/5Your Next Five Moves: Master the Art of Business Strategy Rating: 5 out of 5 stars5/5Tools Of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers Rating: 4 out of 5 stars4/5Limited Liability Companies For Dummies Rating: 5 out of 5 stars5/5Suddenly Frugal: How to Live Happier and Healthier for Less Rating: 3 out of 5 stars3/5The Book of Beautiful Questions: The Powerful Questions That Will Help You Decide, Create, Connect, and Lead Rating: 4 out of 5 stars4/5Crucial Conversations Tools for Talking When Stakes Are High, Second Edition Rating: 4 out of 5 stars4/5How to Write a Grant: Become a Grant Writing Unicorn Rating: 5 out of 5 stars5/5Becoming Bulletproof: Protect Yourself, Read People, Influence Situations, and Live Fearlessly Rating: 4 out of 5 stars4/5Collaborating with the Enemy: How to Work with People You Don’t Agree with or Like or Trust Rating: 4 out of 5 stars4/5Robert's Rules Of Order Rating: 5 out of 5 stars5/5The Five Dysfunctions of a Team: A Leadership Fable, 20th Anniversary Edition Rating: 4 out of 5 stars4/5Leadership and Self-Deception: Getting out of the Box Rating: 4 out of 5 stars4/5Confessions of an Economic Hit Man, 3rd Edition Rating: 5 out of 5 stars5/5Grant Writing For Dummies Rating: 5 out of 5 stars5/5Capitalism and Freedom Rating: 4 out of 5 stars4/5Nickel and Dimed: On (Not) Getting By in America Rating: 4 out of 5 stars4/5The Catalyst: How to Change Anyone's Mind Rating: 4 out of 5 stars4/5Set for Life: An All-Out Approach to Early Financial Freedom Rating: 4 out of 5 stars4/5Crucial Conversations: Tools for Talking When Stakes are High, Third Edition Rating: 4 out of 5 stars4/5How to Grow Your Small Business: A 6-Step Plan to Help Your Business Take Off Rating: 0 out of 5 stars0 ratings
Reviews for The Cybersecurity Due Diligence Handbook
0 ratings0 reviews
Book preview
The Cybersecurity Due Diligence Handbook - John Reed Stark
Author
PREFACE
Show me a company with weak cybersecurity and I will show you a company with lackluster corporate governance, anemic C-suite leadership and head-in-the-sand operations. That is why there is a new, specialized and complex business demand in the corporate world: cybersecurity due diligence.
Cybersecurity due diligence is rapidly becoming a critical factor of the decision-making calculus for a corporation contemplating a merger, acquisition, asset purchase or other business combination; an organization taking on a new vendor, partner or other alliance; or a private equity firm purchasing a new portfolio company.
In every industry, cybersecurity weaknesses represent a significant threat to the operations, reputation and the bottom line of all companies, whatever their size and wherever their location. Poor cybersecurity at any company creates tremendous risk for any suitor who buys that company, merges with that company, partners with that company or hires that company as a vendor. The mantra underlying cybersecurity due diligence concerns is simple: No matter what the terms, when adding, partnering or working with another enterprise, a company is taking on that company’s data troubles and attendant data risks.
While data breach risks may be difficult to quantify, companies contemplating new business combinations and relationships now recognize that cybersecurity has become a risk category in its own right. Consider corporate business combinations and corporate vendor management:
Corporate Business Combinations. For corporate mergers and acquisitions and other changes in control, vigorous cybersecurity due diligence not only better informs deal terms and deal value but can also signal early deal-breakers, saving buyers from unforeseen financial costs, regulatory liabilities, technological integration headaches or even bankruptcy.
Aside from offering additional opportunities to more closely assess the risk of business combinations, cybersecurity due diligence analysis can impact valuation and contracting issues as well. Without a fully developed understanding of a company’s cybersecurity profile, a company cannot:
• Fully appreciate the value of another company, whether acquisition target, partner or vendor;
• Meaningfully identify and execute whatever opportunities exist for strengthening cybersecurity; and
• Thoughtfully draft data-related provisions in the transaction’s or vendor’s agreements, so that where possible, parties can implement post-transaction cybersecurity solutions.
Corporate Vendor Management. For corporate vendor management, cybersecurity due diligence has become similarly essential. Given that cyber-attackers will often traverse a company’s network and gain entry into the networks of its vendors or vice versa, third-party vendors have become one of the more prevalent attack vectors in the most recent cyber-attacks, as cybersecurity shortcomings of third-party vendors have become a cybercriminal’s dream.
Cyber criminals have launched some of the most damaging attacks of the past few years through third parties. In fact, numerous studies have shown that third parties represent 40 percent to 80 percent of the risks associated with data breaches. Three recent examples illustrate the issue: 1) CVS confirmed a data breach of its photo service, which remains offline after hackers allegedly breached PNI Digital – a third-party vendor that manages CVS’s photo website; 2) Cal State University was breached through an outsourced firm that provided online courses for violence prevention; and 3) the Army National Guard reports that the data of 850,000 current members have been exposed due to an improper data transfer to a third party non DoD-accredited data center for a data analysis.
The use of third party vendors has also become a cybersecurity concern for regulators, including the SEC, FINRA and New York State Department of Banking Services.
Thus, for some companies, including financial firms and banking institutions, third-party cyber-risk management is not only a security function, but also a compliance obligation.
The Evolution of Due Diligence. Given that cyber-attacks remain a steady concern across industries, due diligence teams are beginning to recognize information security as a key data point for decision-making. Due diligence teams have begun shifting their focus from the more traditional information technology (IT) categories of inquiry, such as the state of a company’s technological systems and any associated integration issues, to cybersecurity concerns and questions.
Just as in the financial accounting realm, old and stale due diligence models are being modified and enhanced to address the very real, difficult-to-control and ever-increasing enterprise threat of cyber-attacks. Cyber risks are real and costly, and the most forward-thinking companies assess the cyber health and safety of an enterprise before committing to a significant investment or relationship. Likewise, a company or vendor can strengthen its attractiveness as a partner or a takeover target by conducting "self’ cybersecurity due diligence to demonstrate the fitness of its enterprise.
Traditionally, due diligence efforts are geared towards identifying the markets, geographies, technologies, synergies and strategic angles of a business relationship. For instance, at the outset of an M&A deal or a new partnership, due diligence teams scrub financial statements, recasting and recalculating them in every conceivable way to determine the viability, sustainability and profitability of a deal. Due diligence teams have now begun to apply the same energy, breadth and intensity to evaluating a company’s cybersecurity.
This Handbook. The stakes are extraordinarily high for everyone involved when contemplating cybersecurity. That is why I wrote The Cybersecurity Due Diligence Handbook. My goal is to present highly technical cybersecurity subject matter in plain English and to help due diligence teams identify and manage cybersecurity risk. I also aim to create an indispensable flight manual that a due diligence team could use to successfully pilot throughout the cybersecurity due diligence process. I want to empower due diligence teams with a thorough and comprehensive reference resource – no matter how complex and dynamic the merger, acquisition, partnership, vendor relationship or other contemplated business combination and collaboration.
Remember the old commercials for American Express cards, where the company touted its memorable tagline, "The American Express Card, Don’t Leave Home Without It" I hope my handbook will occupy the same position of unqualified necessity for due diligence teams. For a private-equity team considering a new portfolio company; a business contemplating a new partner, strategic alliance or vendor; or a company mulling over a stock or asset purchase of an attractive enterprise, The Cybersecurity Due Diligence Handbook, Don’t Leave Home Without It.
CHAPTER ONE: INTRODUCTION
Cybersecurity due diligence has been defined as the review of the governance, processes and controls that are used to secure information assets,
which is a broad and sweeping undertaking equal to, or even more important than, financial and legal due diligence considerations.
Shareholders, regulators, employees, management and everyone else involved in a transaction expect cybersecurity due diligence to be a substantial effort to understand a company’s data security issues.
So what does proper and appropriate cybersecurity due diligence entail?
This cybersecurity due diligence primer, specially tailored to apply to all kinds of corporate transactions involving all kinds of companies will answer that question. Within this handbook, due diligence teams will find an exhaustive catalogue of categories that provide a bedrock of inquiry to help navigate cybersecurity due diligence responsibilities.
In addition, this handbook provides the requisite strategic framework to engage in an intelligent, thoughtful and appropriate approach to understanding the cybersecurity risks existing at any company.
By using this handbook, teams conducting cybersecurity due diligence not only can become more preemptive in evaluating cybersecurity risk exposure, but they also can successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management issue, residing at the top of any due diligence checklist.