When advising clients on business acquisitions, we often find their challenge is how to quickly identify and quantify the key cyber risks. It’s not best practice but typically, acquirers don’t want to slow down the deal with a cyber risk assessment during evaluation of the acquisition or the due diligence period.
After the acquisition, the rush is on to understand the risks and, if necessary, build support in the business to quickly line up the resources to mitigate, since any exposure now falls on the acquirer.
Here’s how RiskLens helps M&A teams handle assessment of cyber risk for an acquisition.
Chad Weinman is Vice President, Professional Services for RiskLens
Step 1: Identification
Risk management standards and books often speak about programmatically identifying risks. In reality, this is rarely done, and the most common method is based on control assessments. The problem is that these assessments a) take significant efforts and time to complete and b) only look at identifying risks from a compliance instead of a business-impact perspective.
Our RiskLens services experts have created a Rapid Risk Assessment workshop that has proven hundreds of times to be a very valuable jumpstart to understanding the risk landscape of an organization (acquisitions included).
The workshop centers on a half-day identification session that uses a structured approach to identify key risk event types like confidentiality (compromises of sensitive data) and availability (disrupting business operations).
The workshop not only seeks to identify the largest probable impacting events, but also the most frequent. With the right small group of stakeholders (typically no more than eight), we often identify anywhere from 40-100 cyber risks. The best part is, these are all defined within the guided workflow of the RiskLens platform and scoped in a consistent and way, following the FAIR™ (Factor Analysis of Information Risk), the internationally accepted standard for cyber risk quantification that’s the basis for the RiskLens platform.
Step 2: Rapid Quantification of Risks
Now that we have defined and scoped risks in the platform, the next step is to rapidly quantify them. We do this efficiently using the RiskLens platform’s Rapid Risk Assessment capability. It typically takes 1-2 days with the risk team to work through the rapid quantification of all these cyber risks (most of the time goes to discussion and data gathering – the platform runs analyses in minutes). The objective of this phase is to prioritize/rank the cyber risks by their probable impact.
If the Rapid Risk Assessment uncovers urgent risks, the team can move on to two more steps on the RiskLens platform:
Step 3: Detailed Assessment of the Top Cyber Risks
This may mean gathering more precise data/estimates for a few workshop questions or validating some assumptions made by the analyst team. Once completed, a detailed analysis is run on the platform to identify the key drivers of those top risks.
Step 4: Risk Treatment Analysis
The final step is driven by the objective to get the overall business support and resources to address any significant cyber risks quickly. We leverage the platform’s Risk Treatment Analysis capability within the RiskLens platform to see which new security processes or control improvements will reduce the top cyber risk exposure down to acceptable levels.
Broader Benefits of Leveraging RiskLens for M&A
The impact of undiscovered cyber risks on M&A can be severe: Uber tried and failed to conceal a data breach during negotiations to sell a stake to Softbank; the deal closed at a 30% discount to Uber’s initial valuation. Verizon cut its purchase price for Yahoo! by $350 million after breaches were uncovered there.
More than a software platform, RiskLens offers a structured way to investigate the loss exposure in financial terms for all the digital assets that an acquirer will absorb in a merger: the platforms and applications, intellectual property and customer databases, including the strength of the controls and processes protecting those assets, and the probability of an attack (based on the merger target’s previous experience).
Then RiskLens can recommend the most cost-effective forms of risk remediation. Ideally, and depending on the friendliness of the acquisition, this investigation can be done before or during due diligence, as well as in the more common post-transaction phase.
That’s a high level of assurance that an acquirer can prepare well for whatever legacy risks it’s acquiring in addition to the risks brought on by the integration phase of the merger, when attackers may seek to exploit the confusion of the handoff of information systems—more than one in three executives in a recent survey by IBM said that they experienced data breaches during a merger integration.
Learn more about how RiskLens can assist in mergers and acquisitions. Contact us.