Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    Only $11.99/month after trial. Cancel anytime.

    The Cybersecurity Due Diligence Handbook: A Plain English Guide for Corporations Contemplating Mergers, Acquisitions, Partnerships, Vendors or Other Strategic Alliances and Relationships
    The Cybersecurity Due Diligence Handbook: A Plain English Guide for Corporations Contemplating Mergers, Acquisitions, Partnerships, Vendors or Other Strategic Alliances and Relationships
    The Cybersecurity Due Diligence Handbook: A Plain English Guide for Corporations Contemplating Mergers, Acquisitions, Partnerships, Vendors or Other Strategic Alliances and Relationships
    Ebook134 pages1 hour

    The Cybersecurity Due Diligence Handbook: A Plain English Guide for Corporations Contemplating Mergers, Acquisitions, Partnerships, Vendors or Other Strategic Alliances and Relationships

    By John Reed Stark

    ()

    Read preview

    About this ebook

    Cybersecurity due diligence has been defined as “the review of the governance, processes and controls that are used to secure information assets,” which is a broad and sweeping undertaking equal to, or even more important than, financial and legal due diligence considerations. Shareholders, regulators, employees, management and everyone else involved in a transaction expect cybersecurity due diligence to be a substantial effort to understand a company’s data security issues. So what does proper and appropriate cybersecurity due diligence entail? This cybersecurity due diligence primer, specially tailored to apply to all kinds of corporate transactions involving all kinds of companies will answer that question. Within this handbook, due diligence teams will find an exhaustive catalogue of categories that provide a bedrock of inquiry to help navigate cybersecurity due diligence responsibilities. In addition, this handbook provides the requisite strategic framework to engage in an intelligent, thoughtful and appropriate approach to understanding the cybersecurity risks existing at any company. By using this handbook, teams conducting cybersecurity due diligence not only can become more preemptive in evaluating cybersecurity risk exposure, but they also can successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management issue, residing at the top of any due diligence checklist.
    LanguageEnglish
    PublisherBookBaby
    Release dateJun 1, 2016
    ISBN9781483571508
    The Cybersecurity Due Diligence Handbook: A Plain English Guide for Corporations Contemplating Mergers, Acquisitions, Partnerships, Vendors or Other Strategic Alliances and Relationships

    Related to The Cybersecurity Due Diligence Handbook

    Related ebooks

    Business For You

    View More
    View More

    Related podcast episodes

    Related articles

    Related categories

    Reviews for The Cybersecurity Due Diligence Handbook

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      The Cybersecurity Due Diligence Handbook - John Reed Stark

      Author

      PREFACE

      Show me a company with weak cybersecurity and I will show you a company with lackluster corporate governance, anemic C-suite leadership and head-in-the-sand operations. That is why there is a new, specialized and complex business demand in the corporate world: cybersecurity due diligence.

      Cybersecurity due diligence is rapidly becoming a critical factor of the decision-making calculus for a corporation contemplating a merger, acquisition, asset purchase or other business combination; an organization taking on a new vendor, partner or other alliance; or a private equity firm purchasing a new portfolio company.

      In every industry, cybersecurity weaknesses represent a significant threat to the operations, reputation and the bottom line of all companies, whatever their size and wherever their location. Poor cybersecurity at any company creates tremendous risk for any suitor who buys that company, merges with that company, partners with that company or hires that company as a vendor. The mantra underlying cybersecurity due diligence concerns is simple: No matter what the terms, when adding, partnering or working with another enterprise, a company is taking on that company’s data troubles and attendant data risks.

      While data breach risks may be difficult to quantify, companies contemplating new business combinations and relationships now recognize that cybersecurity has become a risk category in its own right. Consider corporate business combinations and corporate vendor management:

      Corporate Business Combinations. For corporate mergers and acquisitions and other changes in control, vigorous cybersecurity due diligence not only better informs deal terms and deal value but can also signal early deal-breakers, saving buyers from unforeseen financial costs, regulatory liabilities, technological integration headaches or even bankruptcy.

      Aside from offering additional opportunities to more closely assess the risk of business combinations, cybersecurity due diligence analysis can impact valuation and contracting issues as well. Without a fully developed understanding of a company’s cybersecurity profile, a company cannot:

      •   Fully appreciate the value of another company, whether acquisition target, partner or vendor;

      •   Meaningfully identify and execute whatever opportunities exist for strengthening cybersecurity; and

      •   Thoughtfully draft data-related provisions in the transaction’s or vendor’s agreements, so that where possible, parties can implement post-transaction cybersecurity solutions.

      Corporate Vendor Management. For corporate vendor management, cybersecurity due diligence has become similarly essential. Given that cyber-attackers will often traverse a company’s network and gain entry into the networks of its vendors or vice versa, third-party vendors have become one of the more prevalent attack vectors in the most recent cyber-attacks, as cybersecurity shortcomings of third-party vendors have become a cybercriminal’s dream.

      Cyber criminals have launched some of the most damaging attacks of the past few years through third parties. In fact, numerous studies have shown that third parties represent 40 percent to 80 percent of the risks associated with data breaches. Three recent examples illustrate the issue: 1) CVS confirmed a data breach of its photo service, which remains offline after hackers allegedly breached PNI Digital – a third-party vendor that manages CVS’s photo website; 2) Cal State University was breached through an outsourced firm that provided online courses for violence prevention; and 3) the Army National Guard reports that the data of 850,000 current members have been exposed due to an improper data transfer to a third party non DoD-accredited data center for a data analysis.

      The use of third party vendors has also become a cybersecurity concern for regulators, including the SEC, FINRA and New York State Department of Banking Services.

      Thus, for some companies, including financial firms and banking institutions, third-party cyber-risk management is not only a security function, but also a compliance obligation.

      The Evolution of Due Diligence. Given that cyber-attacks remain a steady concern across industries, due diligence teams are beginning to recognize information security as a key data point for decision-making. Due diligence teams have begun shifting their focus from the more traditional information technology (IT) categories of inquiry, such as the state of a company’s technological systems and any associated integration issues, to cybersecurity concerns and questions.

      Just as in the financial accounting realm, old and stale due diligence models are being modified and enhanced to address the very real, difficult-to-control and ever-increasing enterprise threat of cyber-attacks. Cyber risks are real and costly, and the most forward-thinking companies assess the cyber health and safety of an enterprise before committing to a significant investment or relationship. Likewise, a company or vendor can strengthen its attractiveness as a partner or a takeover target by conducting "self’ cybersecurity due diligence to demonstrate the fitness of its enterprise.

      Traditionally, due diligence efforts are geared towards identifying the markets, geographies, technologies, synergies and strategic angles of a business relationship. For instance, at the outset of an M&A deal or a new partnership, due diligence teams scrub financial statements, recasting and recalculating them in every conceivable way to determine the viability, sustainability and profitability of a deal. Due diligence teams have now begun to apply the same energy, breadth and intensity to evaluating a company’s cybersecurity.

      This Handbook. The stakes are extraordinarily high for everyone involved when contemplating cybersecurity. That is why I wrote The Cybersecurity Due Diligence Handbook. My goal is to present highly technical cybersecurity subject matter in plain English and to help due diligence teams identify and manage cybersecurity risk. I also aim to create an indispensable flight manual that a due diligence team could use to successfully pilot throughout the cybersecurity due diligence process. I want to empower due diligence teams with a thorough and comprehensive reference resource – no matter how complex and dynamic the merger, acquisition, partnership, vendor relationship or other contemplated business combination and collaboration.

      Remember the old commercials for American Express cards, where the company touted its memorable tagline, "The American Express Card, Don’t Leave Home Without It" I hope my handbook will occupy the same position of unqualified necessity for due diligence teams. For a private-equity team considering a new portfolio company; a business contemplating a new partner, strategic alliance or vendor; or a company mulling over a stock or asset purchase of an attractive enterprise, The Cybersecurity Due Diligence Handbook, Don’t Leave Home Without It.

      CHAPTER ONE: INTRODUCTION

      Cybersecurity due diligence has been defined as the review of the governance, processes and controls that are used to secure information assets, which is a broad and sweeping undertaking equal to, or even more important than, financial and legal due diligence considerations.

      Shareholders, regulators, employees, management and everyone else involved in a transaction expect cybersecurity due diligence to be a substantial effort to understand a company’s data security issues.

      So what does proper and appropriate cybersecurity due diligence entail?

      This cybersecurity due diligence primer, specially tailored to apply to all kinds of corporate transactions involving all kinds of companies will answer that question. Within this handbook, due diligence teams will find an exhaustive catalogue of categories that provide a bedrock of inquiry to help navigate cybersecurity due diligence responsibilities.

      In addition, this handbook provides the requisite strategic framework to engage in an intelligent, thoughtful and appropriate approach to understanding the cybersecurity risks existing at any company.

      By using this handbook, teams conducting cybersecurity due diligence not only can become more preemptive in evaluating cybersecurity risk exposure, but they also can successfully elevate cybersecurity from an ancillary IT concern to a core enterprise-wide risk management issue, residing at the top of any due diligence checklist.

      Enjoying the preview?
      Page 1 of 1