Mergers & Acquisitions
Identification and evaluation of cyber risk in any transaction is essential. A company's ability to identify, mitigate and respond to internal and external cyber threats can influence the valuation of assets being acquired. The discovery of unanticipated cyber risk can slow down a planned transaction and negatively impact expected company valuation. CYGRU can advise on a comprehensive evaluation of cyber threats and risk, and current security capabilities of an acquisition target.
This evaluation typically requires a check of, at a minimum, the following:
1. Critical Data & IT Infrastructure Identification: What are the target's most critical data & IT assets? What types of regulations or risk (financial, reputational, ethical, legal) are applicable? Is the infrastructure resilient to both man-made or environment hazards?
2. Assess Current Cyber Security Capability: How effective are the company's people, processes & technologies against a wide range of cyber threats? Does it have the culture, policies and record of significant technology investments that support continuous improvement in cyber security capabilities?
3. Threat Landscape: What is known about past and current threats to the target? Will the target's integration into your infrastructure create new threat vectors and adversaries? Do you have sufficient threat intelligence to mitigate future potential threats?
4. Incident Response Capability: Has the target company experienced breaches in the past that could create legal exposure in the future? Do you have sufficient data to support costs associated with responses to possible incidents? What is budgetary impact to conduct incident response activities? What is potential for lost revenue, business interruption or lost market value as a result of an adverse conditions?
5. Supply Chain Risk Exposure: What is the impact of a cyber incident or vulnerability at a upstream or downstream supplier? Are these potential vulnerabilities identified and risk mitigation strategies being effectively implemented throughout the supply chain? Is unmitigated risk being transferred appropriately throughout the supply chain?
6. Risk Transference: Can the company procure insurance against unmitigated or unknown risks?
There is no "one size fits all" solution. All analysis must be customized to the target and evaluate organizational, cultural, legal, regulatory and industry specific considerations relating to cyber risks. CYGRU can advise, manage and execute on the cyber security considerations in your merger or acquisition