With borrowing rates continuing at an all-time low and an abundance of dry powder to invest, corporations and institutional investors are aggressively looking to deploy their capital through acquisitions and buyouts.
This is all points to a strong M&A marketplace in 2015. Strong deal markets also equate to higher valuations and increased pressure to close deals quickly.
One area often overlooked in the rush to close is information risk management (IRM). It just takes one data breach to negatively impact shareholder value.
Fortunately, you can assess a potential partner’s data security strengths and weaknesses before the deal goes through and without slowing down any processes.
A recent editorial in CFO Magazine provided some key data security considerations at each M&A phase to help uncover any potential IRM issues. These considerations are recapped below:
Phase 1: Initial Due Diligence
Key questions:
- Does the target organization have a compliance and security governance committee? If so, review the charter, membership, and IRM processes and procedures to ascertain their comprehensiveness and effectiveness.
- Is there a code of conduct that outlines expected workforce behavior and responsibilities related to data security? If so, does it describe sanctions for non-compliance?
- Is there a formal program for managing service providers? If so, inquire if recent revisions have been made to accommodate any new regulations.
- Have recent assessments or audits been conducted on compliance, data security programs, or both? If so, ask if remediation activities are underway to close any gaps.
- Obtain copies of insurance policies, and review to ensure appropriate levels for cyber-liability, property and casualty, and directors and officers’ coverage.
Phase 2: Prior to Definitive Agreement
Recommended actions:
- Cross-examine policies and procedures to regulations to ensure complete compliance and make it easier to integrate the target into the acquiring company.
- Review training materials to make sure they cover job responsibilities associated with access to sensitive information.
- Review specific policies and procedures related to reporting complaints, security incidents or privacy violations, breach assessments, and notifications.
- Review business continuity and disaster recovery plans.
- Request an inventory of service providers with services provided, minimum necessary information shared, due diligence conducted, security incident notification requirements, and replacement vendors for critical services.
- Review governance/oversight committee meeting minutes and attachments to verify adherence to charter, agendas, and documented risk management processes.
Phase 3: After Signing Definitive Agreement
Recommended actions:
- Review IRM processes in detail, including prior risk assessment decisions to assess compatibility of risk tolerance.
- Review logs and other documentation regarding security incidents, privacy violations, complaints, breach risk assessments and conclusions, notification plans and previous activities (if any).
- Inquire and request details of any reported breaches or regulatory investigations or audits.
- Request copies of compliance and security attestations, assessments, or audits from high-risk service providers.
- Audit the adherence to procedures for establishing, modifying, and terminating access to sensitive information.
- Review details of remediation activities from recent compliance and data security audits, or assessments and timeline for completion for any audits underway.
- Review documentation of all activities undertaken to test business continuity plans, disaster recovery plans, and emergency mode operations.
Read the full article here.
If you are a company looking at acquisition targets and want to make sure that any IRM issues have been diminished, SC&H Group’s IT Advisory Services team can help you understand and mitigate your security risks. Please contact us here.
Or, if you are a company looking to explore your buy-side M&A options, please contact SC&H Capital here.