Cybersecurity Due Diligence Is Now More Important Than Ever

In the mergers and acquisitions world, the sale price of a company can hinge on how well, or how poorly, a buyer and seller have positioned themselves against cyberattacks.

“I spend a lot of time in discussions with lawyers and insurers about this [topic],” says Toby Zimmerer, a Director of Cybersecurity Due Diligence in the Transaction Advisory Services Practice of RSM US, at the Medtech MVP Conference 2022 https://medtechmvp.com. Those calls, he says, can last for hours. “Cybersecurity is now a very important aspect of how we run a company, how we run services.”

Thorough due diligence on all aspects of a company’s history with cybersecurity irregularities cannot be overstressed, Zimmerer says—and that goes for both buyer and seller. A company that allows slow resolution of just one cyber breach or fails to follow up with satisfactory security modifications can raise a red flag with a host of stakeholders, including financiers, he says. “If you don't have enough due diligence and processes in the background to make sure it does not happen again … your insurer could deny you coverage [in the future].”

Zimmerer has seen that happen. He recalls a target company in an acquisition that had been breached twice. The insurer agreed to pay at the time but said it would not provide coverage in the future. “That happened during the due diligence process, and we found that out. That's a pretty big challenge [to negotiations].”

Another challenge: To get all companies to appreciate that they are likely exposed to cyber breaches. “If you're on the internet, you're exposed. If you've got a forward-facing system, you're exposed,” says Zimmerer.

State of cybersecurity

Businesses in general, Zimmerer says, are not taking cybersecurity seriously—security departments are underfunded and poorly staffed. “We’re doing a lot with nobody,” he says.

The cyberthieves are aware of this lack of attention, he adds. Some will find out the targeted company’s insurance limits; the breach and demand for ransom follow. “Then when you try to negotiate with them, they know what your limit is, and [the thieves] will hold you to it,” he says.

The targeted company might rely on its warranty coverage, which is a mistake, Zimmerer says, because it might not receive coverage—or the asking price.

Questions that need answers

Zimmerer offers a rundown of what RSM looks for during due diligence:

• How well structured is the cybersecurity program?
• How does it work?
• How well is the company tracking and managing risks within the organization?
• What kind of controls are in place?
• What solutions are being used?
• When is the last time the company ran a penetration test?
• If there was a data breach in the past, how was it dealt with?
• If it hasn't been resolved, why?
• What legal obligations have not been met?

Software bridges and human pitfalls

The connection between business IT and cybersecurity is obvious, so it’s important to understand that collaboration between the two departments is necessary and that each department is aware of what the other is doing.

One potential hazard is the ability to purchase cloud services in two minutes with a credit card. “That makes cybersecurity professionals cringe,” he says.

It happens often, he adds, that a business department employee will buy a security-intention that cybersecurity doesn’t know about. “I was working with a client who had 200 undocumented instances of Amazon [purchases],” says Zimmerer. “Unmanaged people bought this and [put] it up. That's a problem, particularly when you start throwing customer data up or your own intellectual property.”

Knowing what contracts human resources has with contractors is another vital aspect of due diligence discovery, Zimmerer says. Businesses outsource code development all the time, and these workers have access to data. It’s important to know which contractors have non-compete requirements.

Nondisclosure agreements (NDAs) also must be reviewed to ensure that the company’s contractors and employees are compliant with all NDA requirements. The big question is whether these workers are contractually obligated to keep mum. “We're finding out the companies that are going into new states [such as California, Colorado, and Virginia] aren't aware” that data protection laws are either in effect or soon will be, says Zimmerer.

By examining these and other cybersecurity issues and considering ways to improve areas of weakness, companies can place themselves in a much better position when it comes to mergers and acquisitions or simply doing business with other companies. Having a handle on this aspect of a business is now integral for success.