Kroll CyberClarity360 experts Imran Jaswal, Managing Director and Head of Innovation Asset Management, and Ryan Spelman, Senior Manager, and Kevin Braine, Managing Director and Head of EMEA in the Compliance Risk and Diligence practice, discussed how they are leveraging new “outside in” data sources to continuously monitor the cyber security risk of companies through open-source intelligence techniques and how other parts of Kroll are using it for clients.
This 60-minute webinar covers:
- Importance of cyber risk during due diligence
- What is “outside-in” data
- “Outside-in” data within our CyberClarity360 third-party cyber risk assessment platform
- How other parts of Kroll are using the data for clients
Notable Passages From the Presentation
Importance of Cyber Risk During Due Diligence
Cyber due diligence has been a key concern of most C-suites, most senior teams, most M&A teams for quite a while now. Mainly it's still viewed as that intangible risk that is hard to assess, hard to protect against. But the big change we've seen over the last few years is that rather than waiting for an acquisition to be completed before you properly go and kick the tires and work out how robust the infrastructure of the company you're acquiring might be, and rather than just relying on disclosures during exclusivity stage or during earlier stages of the M&A discussion, we're now seeing clients being much more proactive and look to test the sort of cyber risk that they might inherit ahead of really investing a lot of time in a particular transaction.
Including cyber risk and due diligence, I mean we all know why it's important, getting it wrong means reputational damage. If you're dealing with listed entities, you can see how shareholder confidence takes a knock when you inherit or you have a cyber issue bubble up. It can lead to fines. I mean under GDPR if you inherit some sort of data breach through an acquisition, that's up to 4% of prior global turnover under GDPR. And now also, of course, equivalent fines under other regulatory regimes outside the European Union. You will have all seen maybe last year large, tech-savvy companies get hit despite being quite careful in this field. – Kevin Braine
What Is “Outside-In” Data
I'll quickly now kind of talk about the two different approaches through that collect phase, really this concept of inside-out versus outside-in. So starting with the inside-out, we're really talking about this approach when we engage a target, when we have a relationship already, so really not necessarily when we're pre-deal in an M&A situation, because at that point, like Kevin said, there can be concerns about disclosing the potential for that transaction. So with the inside-osut, we really have the opportunity to ask more deeper questions, perhaps also have the ability to understand more around the resilience of that organization as well, certainly as we engage with them we can think about and ask questions and gain information around their ability to respond and recover to a particular breach itself.
Some of the challenges we see with that approach is obviously one is the need for the engagement so that obviously has to be something that we can actually do at that point in time, but oftentimes, the self-assessment approach, the approach asks questions of a particular supplier can be very subjective in nature, and could result in some puffery or maybe inaccurate information being provided, not necessarily intentionally but sometimes it's just a question of they didn't understand what was being asked of them. Also, the velocity and scale with that type of approach can be somewhat limiting and a lot of our clients obviously spend a fair amount of time when they're going through that type of process to be able to collect that information. So, from a use case perspective, certainly, the inside-out approach can be more beneficial in a post-close situation for an M&A deal, for supply chains certainly for critical suppliers when we really need to have a deep understanding of that supplier's controls because they're so heavily integrated perhaps with the larger organization it can certainly help support that type of use case much easier.
Contrast that with the outside-in approach, which really allows us to analyze data and information on digital assets an organization may have from the outside. What that allows us to do is to be very objective in our assessment, it's also very easily scalable. It also doesn't require engagement with the target itself, so it can be very discreet and so it can support that the M&A pre-deal or pre-closing use case very efficiently. However, some of the challenges with it are that the scope of the data that we collect is obviously somewhat more limited, we're not actually engaging and trying to collaborate or even understand the resilience of that particular organization we can't really get under the surface, other than things that we can see from the outside.
But it can be effective when we're talking about scale because it'll allow us to be able to do hundreds if not thousands of potential suppliers or targets very quickly. – Imran Jaswal
“Outside-in” Data Within Our Cyberclarity360 Third-party Cyber Risk Assessment Platform
So how do you access this information? How do you get to take advantage of working with us? So I'll talk briefly about the two different delivery models and I'll pull Kevin in for one of them. So we here at Duff & Phelps, through our CyberClarity360 products have the ability to offer this either through our own platform or through the Kroll Reports platform. Through our platform we're really helpful on the portfolio level, so if you have a portfolio and you're looking at multiple acquisition targets or a very broad supply chain, we can help you make sense of that, make you take a look at some of the data points whether leveraging that outside-in data, or perhaps even leveraging some of the inside-out data that we can help you procure.
We can help you understand the different aspects of your entire portfolio of targets to better understand this risk exposure. But for many folks that platform is really they need a one-off or a structure with hosting it individually, or perhaps they don't have the resources in place. And that's what's great about our partnership with Kroll Due Diligence. – Ryan Spelman
How Other Parts of Kroll Are Using It for Clients
We offer a full suite of due diligence reports from very light touch, very cost effective, very quick for those situations that are relatively low-risk or where you are in early stage discussions, to much more in-depth, much more bespoke solutions. And we can add a cyber risk research element, and an element of due diligence delivered by the CyberClarity360 team to any of those reports. It's becoming more and more standard, so let's say, in M&A situations certainly, but now also, when we have clients onboarding sort of higher-risk suppliers.
Either clients who already have some concerns or who already have been under some regulatory pressure because of past data breaches are asking us to conduct very light touch cyber checks on a systematic manner. And, also, clients who are more aware that certain types of relationship will mean significant cyber and data risk exposure. And, again, this is when you're talking about vendors, or suppliers that you will be sharing a significant amount of proprietary data and often protected data with, and our reports, essentially, meld our traditional sort of reputation and regulatory risks assessments with a cyber risk assessment. – Kevin Braine