Cybersecurity Due Diligence for M&A

Kroll’s cybersecurity due diligence services help firms across Singapore, Hong Kong, Asia and the world to make fully informed M&A decisions

• Identify pre-existing cybersecurity lapses or potential built-in risks in acquisition targets
• If necessary, restructure investments to incorporate any necessary remediation costs
• Demonstrate commitment to data security to regulators and stakeholders

1 - sample cybersecurity due diligence steps in pre- and post-transaction

Even Sophisticated Companies Can Be Unprepared
An acquisition target may have a great product, an efficient sales team, and a solid balance sheet. But, to assess a target company’s cybersecurity risk, investors shouldn’t trust self-disclosures to provide all the relevant information.

Organisations looking to be acquired can use positive findings or prompt remediation from Kroll’s assessments – especially Modules 3 and 4 – to demonstrate the company’s value and alleviate potential buyers' concerns.

Cybersecurity Due Diligence Overview
Kroll's independent cyber due diligence services can verify whether a target company’s cybersecurity history or current posture add undue risks to the value of an acquisition. Our experts can identify material data security weaknesses that need to be addressed to avoid or properly consider post-transaction risks, fines, and remediation costs. Our services include:

• Identifying information security risks and deficiencies in governance, operations, and technology
• Investigating undisclosed or unknown data breaches
• Evaluating a target's capability to detect and effectively respond to a cybersecurity incident
• Calculating potential remediation costs from operational, financial, and reputational perspectives based on previous or unknown exposures

Pre- and Post-Transaction Services
Kroll offers four customisable cyber due diligence modules to help identify, assess, and manage data security risks, both pre- and post-transaction. Each module can be tailored to a unique transaction, and companies can utilise a combination of services based on their specific risk concerns, deal speed, and access to the target company.

For organisations seeking to be acquired, positive findings or timely remediation based on these assessments – especially Modules 3 and 4 – can allay potential buyers’ concerns and accelerate a deal's close.

Module #1 – Deep and Dark Web Exposure
With Kroll's CyberDetectER^® DarkWeb – which contains more than 13 years of indexed dark web data, with more than 3 million files added every day – we can conduct a deep and dark web assessment with unparalleled scope. Using this proprietary resource, our experts will quickly and efficiently identify any exposed data or previously unknown breaches without needing to access a target company’s network

Module #2 - Compromise Assessment*
Our team can deploy Kroll Responder across all endpoints in a target company to search and monitor for malicious and unusual behaviors. Kroll's cybersecurity experts will be ready to respond and contain threats if endpoint data identifies any malware or infection points

Module #3 – Cyber Risk Assessment
Our experts perform risk assessments using Kroll's proprietary methodology developed over years of incident response and investigation work. We also adapt assessments to ensure compliance with any industry-specific standards or regulations, including ISO, NIST, PCI-DSS, HIPAA/HITECH, GLBA, and CIS. Our framework produces agile assessments that need only minimal input from the target company. They can also be adapted for deeper review if access to internal systems is granted.

Module #4 – Vulnerability Assessment / Penetration Testing
Kroll's professional penetration testing teams will simulate real-world cyberattacks to examine systems for vulnerabilities and assess employee awareness through social engineering exercises. These tests provide valuable insight into the real-world risks a company faces and are often conducted pre-transaction by those seeking to be acquired or immediately post-transaction by the purchasing organisation.

Case Study: Agile Cyber Due Diligence for Global Investment Firm
A leading global investment firm managing over $150 billion assets was concerned about the increased risks associated with data security and privacy incidents. They sought Kroll’s help to establish a cybersecurity due diligence framework to assess the maturity of potential M&A targets.

Given the speed of investments and limited access to internal systems, the firm needed its cyber due diligence framework to be as accurate as possible within tight time constraints.

Solution:
Kroll’s Cyber Risk experts developed a framework based on the CIS Top 20 Critical Security Controls™ to assess a company’s vulnerability to data breaches and overall cyber defense posture. The agile evaluation instrument provided a general overview and included three core elements:

• A review of an investment target's current policies and procedures, including incident response plans
• The completion of either a written questionnaire or phone interview
• A summation of previous assessment reports (such as SOC 2) when available

Impact:
Once implemented, Kroll’s cybersecurity due diligence framework could produce useful results for the investment company’s information security team within two hours. For each deal, the tool provided crucial insights needed for more information valuation.

Key Deliverables
Regardless of the modules selected for the cyber due diligence process, Kroll’s experts offer clients the assistance they need to properly assess the risks associated with a potential acquisition. Deliverables from each assessment include a thorough analysis of the organisation's security posture and will help our clients develop a successful integration plan based on our expert guidance.