The PE Buyer’s Cyber Due Diligence Checklist
By Gregory A. Garrett
As cyberattacks increase in sophistication and magnitude of impact across all industries globally, private equity firms can no longer afford a “whatever” attitude towards cybersecurity. In a world where data is increasingly viewed as an organization’s most valuable asset—and yet data can also be its greatest source of risk—cybersecurity is inextricably linked to company value. It is vital for the buyer to ensure they fully understand both the value of the information assets they are looking to acquire and the level of cyber threat and vulnerability facing the target company. The buyer must also be able to determine the potential financial impact of the company’s cybersecurity preparedness or lack thereof upon the deal price.
Private equity firms can use this checklist to ensure they are taking appropriate actions before, during, and after the deal to mitigate the potential negative impacts of cyberattacks and optimize the financial aspects of the deal.
Before the Deal
-
Conduct a Dark Web Analysis for the company, key personnel, and selected supply chain partners
-
Conduct a Social Media Analysis of the company and key personnel
-
Conduct an extensive Internet Search of the company and key personnel
During the Deal (Due Diligence)
-
Review the company’s information security – policies, plans, and procedures, including: Incident Response (IR) Plan, Business Continuity Plan (BCP), and Disaster Recovery (DR) Plan
-
Evaluate the company’s cybersecurity education and training program
-
Assess the most recent cyber vulnerability assessment and penetration testing findings
-
Conduct a new vulnerability assessment & penetration tests, preferably via an independent cybersecurity services firm
-
Assess the information technology infrastructure, people, hardware, and software
-
Evaluate the company’s compliance with industry required cyber security risk management framework
-
Conduct a cyber liability insurance coverage adequacy evaluation
After the Deal is Done (Remediation)
-
Conduct a cyber risk assessment
-
Enhance IT technical operations
-
Engage a Managed Security Services Provider (MSSP) to:
-
Provide managed monitoring detection, & incident response services – 24x7x365
-
Provide threat intelligence services
-
-
Provide cybersecurity education and training to all employees
-
Assess third-party vendor cyber risks
SHARE