EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
Cyber due diligence's low maturity risks deals; persistent myths and outdated practices challenge eradication.
In brief:
- Cyber risks are gaining the needed momentum in transactions, but the majority of due diligence models follow outdated practices.
- Regulatory changes and the evolving threat landscape increase the need to rethink how diligence and strategy teams evaluate cybersecurity impacts and value.
- Holistic and detailed cyber due diligence benefits decision-makers and post-deal teams in improving post-deal activities.
In business transactions, due diligence plays a crucial role in building confidence and understanding against the investment thesis. While processes, methodologies and tools have evolved with technological impact, cybersecurity practices in due diligence processes remain outdated.
Outdated practices create a misleading image for investors, leaving unidentified gaps and portraying cybersecurity as merely an IT concern. The era of viewing cybersecurity solely as a technical matter is over.
While many aspects of cybersecurity are fundamentally technical, the situations should be analyzed strategically, procedurally, tactically and operationally from a business value perspective.
Smaller investment targets lacking a specific cybersecurity strategy should still have a direction to provide transparency on developments and identify areas for further investments.
Additionally, proactive planning is essential for portraying cybersecurity maturity and capabilities. Without long-term planning, decisions become ad-hoc, costly and fail to meet business needs. Also, unidentified post-deal investments and transformative changes could negatively impact deal reasoning or value realization.
Secondly, many critical processes often link to non-technical areas like HR, communications, or legal. Lack of linkage between technical cybersecurity and organizational processes, including key partners’ role and placement, is often a bottleneck for cybersecurity effectiveness.
Organizations in critical sectors should consider additional regulatory implications from procedural perspective as well. At the EU level, these are defined by requirements and directives, such as NIS 2. Often these underlining expectations come as a surprise at later stages due to lack of emphasis in due diligence processes.
Confidence in the outcome of the due diligence is one of the key factors for process continuation. In case of cybersecurity, the analysis is often based on existing documentation and limited assessment. Comprehensive technical reviews and detailed assessments enhance understanding of requirements, the current situation, and potential investment needs.
Misconceptions persist in transactions regarding security testing depth, continuous monitoring, and the allocation of responsibilities for security-related developments. While practices may exist, their quality falls short of industry expectations.
For instance, software companies assure customers of routine penetration tests to safeguard services and data customer data. Unfortunately, security monitoring capabilities to identify and respond to threats are often deficient, identified to be barely scratching the surface.
Another common misconception is depth of security monitoring and capabilities to identify as well as respond to threats. As seen in diligence cases, proactive monitoring is non-existent or lacking in coverage. This, for decision-makers, should be a red flag. Lack of visibility to details increases unjustified confidence deal potentials.
To unveil potential unidentified threats, boosting confidence involves conducting a thorough analysis for signs of past compromises or existing threat actors in the environment. This prevents unwelcome surprises before transferring liabilities to the buy-side entity.
The increasing utilization of public cloud is another area where diligence practices often overlook roles and responsibilities. While cloud providers handle many security-related responsibilities at the infrastructure level, end-user organizations must manage network security, identities and access, and set up container services security. Poor cloud security is unfortunately a common theme in transaction settings.
Lastly, it’s crucial to note that the cybersecurity industry is constantly evolving. What was deemed reasonable a few years ago may now be considered partially immature. Organizations must continuously enhance their capabilities, and those conducting due diligence should stay informed about market trends
Summary
To ensure business value realization via cybersecurity throughout the transactions lifecycle, proper due diligence execution is the first step.
With the ever-changing cyber threat landscape, changes in due diligence practices are twofold: first, approaches require proper end-to-end cybersecurity inclusion, as traditional aspects do not cover all bases. Secondly, cybersecurity SMEs need to be involved for in-depth understanding.
Continuing with outdated practices not only poses risks for day-to-day operations but also requires additional investment. Expectations for cybersecurity are increasing. As the old saying goes, “the best preparation for tomorrow is to do proper work today.”
How EY can help
-
Learn how EY teams can help you identify vulnerabilities, quantify cyber risks as they relate to the deal and manage mitigation or remediation of cybersecurity in M&A.
Read more