Cyber Security Due Diligence in Corporate Restructurings

5/5 (3)

What is corporate restructuring?

Corporate restructuring is a process of simplifying and reorganizing the corporate governance and operations of an organization to make the organization to become more agile natured, productive, responsive, profitable with an improved quality and time to market. It’s a kind of transformation of the organization through a reincarnation of the firm into a new shape from its old shape.

The following are the different kinds of corporate restructuring initiatives adopted by organizations across the globe:

  •        Mergers
  •        Demergers (spin off)
  •        Takeovers/ Acquisitions
  •        Divestitures
  •        Joint Ventures

The following are the key phases of any corporate restructuring initiative adopted by an organization:

  •        Diagnostic phase (Due Diligence)
  •        Planning phase
  •        Execution phase

Every corporate restructuring initiative will sweep in huge amount of risks for the organization to address through various preventive and corrective measures. The following are some of the key risks related to the corporate restructuring initiatives adopted by organizations:

  •        Insufficient Due Diligence Study
  •        Inadequate Integration Planning
  •        Cultural differences
  •        Inadequate Employee engagement
  •        Lack of synergy between the organizations
  •        Complex Business Processes
  •        Complex Organizational Structures
  •        Technology & Cyber Security Risks
  •        Ineffective Communication
  •        Legal & Compliance Risks

What is Due Diligence Study?

Due Diligence is a well planned investigation of the various aspects of the organizations involved in a corporate restructuring initiative. This investigation is set to explore the following aspects of the organizations based on which the worthiness of a corporate restructuring will be identified based on which the further integration activities and the relative investments can be planned effectively:

  •        Financial & Accounting Practice and Financial Health
  •        Information & Technology Governance
  •        Corporate, Business & Operational Governance
  •        Products & Services
  •        Target segment of customers
  •        Business Operating Model
  •        Legal & Compliance Mandates
  •        Suppliers, Investors and other stakeholders
  •        Human Resource Management Practices
  •        Synergy of the organizations involved

Why Cyber Security needs to be considered as a critical element in a Due Diligence Process?

A recent survey by NYSE Governance Services, (Which surveyed 276 directors and officers of public companies) has identified that the presence of cyber security risks had significant impact on the M&A due diligence process practiced by many of the organizations surveyed.

Any corporate restructuring initiative adopted by an organization will bring in significant amount of cyber security risks. The following are some of the Cyber Security Risks that are potential:

  •        Data security Risks
  •        Application security Risks
  •        IT Infrastructure Security Risks
  •        Network Security Risks
  •        Vendor Security Risks
  •        Physical Security Risks
  •        Cyber Security Governance Risks

The following are the key areas to be looked in a Cyber Security Due Diligence Study done during a corporate restructuring initiative:

  •        Critical Business Processes
  •        Information Assets Management
  •        Cyber Security Architecture
  •        Cyber Security Governance
  •        Cyber Security Tools used
  •        ICT Supply Chain Risk Management Practice
  •        Incident Management Practice
  •        ICT Services Continuity Management Practice
  •        Outsourcing of IT Services
  •        Security Operations and Support
Critical Business Processes

The following details around critical business processes need to be looked into during a cyber security due diligence study:

  •        Critical Business Processes of the organization
  •        Business Processes that consume/process considerable amount of information
  •        Information flow between business processes and how it is secured
  •        Level of Business Process Automation
  •        Risk Assessments done for the critical business processes covering cyber risks
  •        Business Continuity arrangements done for the critical business processes
Information Assets Management

The following details around Information Assets Management need to be looked into during a cyber security due diligence study:

  •        Information Assets that are most important to the business
  •        Information Classification practice
  •        Where these Information Assets are stored
  •        How these Information Assets are protected (Moving & Non Moving Data)
  •        The threats faced by these Information Assets.
  •        The cybersecurity budget in terms of procurement & maintenance of Information Assets
Cyber Security Architecture

Security Architecture is the process of translating business vision and strategy into effective security requirements, principles and models that shall describe the enterprise’s future security state and enable its evolution. Based on Defense In Depth approach , organizations should constitute a multi layered Cyber Security Architecture for securing, protecting their critical infrastructure, networks, information processing facilities and various critical information assets owned by the organization.

Defense In Depth is a layered security mechanism which increases the security of an information system as a whole. If a cyber attack causes one layer of security mechanism to fail, other layers of security mechanisms may still provide the necessary security to protect the system.

SABSA5, ISO 270016 kinds of models and standards can be adopted for developing the cyber security architecture of an organization. This security architecture should be supported by a well laid out Information Governance Practice which will link the various components of Cyber Security Architecture. We need to verify the security architecture of an organization during a due diligence to understand well about how security is integrated into the DNA of the organization.

The following diagram depicts Defense In Depth Approach of Security Architecture:

Cyber Security Governance

The existence of the following Cyber Security Governance Controls need to be looked into during a cyber security due diligence study:

  •        Cyber Security Policies & Procedures
  •        Roles & Responsibilities, Key Performance Indicators
  •        Key Risk Indicators
  •        Cyber Security Risk Management
  •        Cyber Security Assurance Arrangements
  •        Cyber Security Trainings & Awareness Programs
Cyber Security Policies & Procedures

Policies & Procedures decide and make the way of working for day to day operations of any organizations. Policies set the management objectives of doing anything in an organization and procedures sets out the detailed way of working. For simple understanding Policies brief on “WHAT” and procedures brief on “HOW”. For the effective implementation of Cyber Security in an organization, the existence of Cyber Security Policies & Procedures is very critical. The following are some of the key Cyber Security Policies & Procedures every organization should have in place:

  •        Physical & Environmental Security Policy
  •        Clear Desk and Clear Screen Policy
  •        Information Asset Acceptable Usage Policy
  •        Information Asset Management Policy
  •        Password Management Policy
  •        User Access Control Policy
  •        Backup & Retention Policy
  •        Change Management Policy
  •        Storage Media Handling Policy
  •        E-mail Policy
  •        Cryptography Policy
  •        Network Security Policy
  •        Vulnerability and Patch Management Policy
  •        Third Party Security Policy
  •        Information Security Risk Management Policy
  •        Information Security Improvement Policy
  •        Information Security Training & Awareness Policy
Roles & Responsibilities, Key Performance Indicators (KPIs)

Cyber security has been recognizes as a significant business risk by most of the Company Boards and Management Teams. To address such significant business risks it’s very critical for the management team to define various Cyber Security Roles & Responsibilities and KPIs for measuring the effectiveness of these roles defined. Also needless to say the frequency of measuring these KPIs needs to be also decided and agreed with the individuals playing these roles.

Key Risk Indicators (KRIs)

Risk is the probability of unwanted cyber security incidents happening. To be precise these risks are crown jewels to be watched upon in Cyber Security Practice. KRIs are indicators of the ongoing changes happening in the risk profile of an organization. KRIs enable an organization to be proactive in taking risk prevention/protection actions in a timely manner:

The following are some sample Cyber Security KRIs:

  •        Disclosure of critical data
  •        Unplanned downtime of critical information assets
  •        Number of unsecured Devices
  •        Number of compliance / regulatory breaches
  •        Number and cyber security incidents
Cyber Security Risk Management

Cybersecurity risk management is nothing but implementing enterprise risk management principles to the cyber security practices of an organization. It predominantly will revolve around identification of risks, vulnerabilities from cyber security aspects, developing & implementing appropriate and robust cyber security controls. The following are some of the Cyber Security Risk Management Best Practices:

  •        Periodic Vulnerability Assessments
  •        Periodic Penetration Testing
  •        Setting up & implementing a Cyber Risk Management Framework
  •        Proactive Vulnerability & Patch Management
  •        Installation of Security Devices such as Firewalls, IDS/IPS, NAC etc.
  •        Setting up Security & Operations Center based on a SIEM Solution
  •        Implementing Encryption & Cryptography Controls
  •        Periodic Reviews of Cyber Security Policies & Procedures
  •        Cyber Insurance
Cyber Security Assurance Arrangements

The objective of cyber security assurance is the process of assuring that cyber security practice of an organization proactively addresses cyber risks and meets the policy and compliance objectives faced by the organization. The following are considered as effective Cyber Security Assurance Arrangements adopted by global organizations:

  •        Internal & External Audits
  •        External Penetration Testing
  •        Breach Assessments
  •        Cyber Security Risk Assessment
  •        Compliance Programs (Such as NESA, ADSIC,NCEMA programs in UAE)
  •        Cyber Security Incident Reporting
  •        Security Advisory Service from External Agency
  •        Cyber Security Practice Benchmarking Studies
  •        Cyber Security Practice Maturity Assessments
Cyber Security Trainings & Awareness Programs

An organization should implement information security trainings based on a well defined cyber security training & awareness plan. The following will be the objectives that will be fulfilled with the implementation of cyber security training & awareness plan:

  •        Ensuring that all staff and affiliates of the Bank are equipped with necessary awareness and knowledge required for carrying out their Information Security related responsibilities as per their defined roles through exclusive training courses allocated to them.
  •        Developing and maintaining the core skills, knowledge and capabilities around Information Security management practices that will help Bank of Sharjah in detecting, preventing and protecting the Bank from emerging information security threats.
  •        On an ongoing basis, new trainings should be scheduled based on key triggers identified. Moreover, training and awareness material need to be updated based on feedback received from audiences through training effectiveness evaluation and critical organizational changes. In ongoing basis the effectiveness of Information Security Trainings & Awareness need to be evaluated and the required improvements need to be brought into the existing Trainings Programs.
  •        Appropriate communication should be sent to all the identified participants informing them of the Information Security trainings assigned to them for completion. Continuous follow ups should be performed to ensure the timely completion of the training courses by the identified audiences. Mechanisms, such as articles, emails, posters, flyers and publications should be used to reinforce important information security related awareness from time to time.
Cyber Security Tools used

Organizations use the following Technologies for managing their day to day cyber security operations:

  •        DLP
  •        End Point & APT Solutions
  •        Proxies
  •        Next Generation Firewalls
  •        IDS/IPS
  •        IDAM
  •        E Mail Gateway
  •        Database Security Suites
  •        Threat Intelligence Suites
  •        Security & Surveillance Devices (CCTVs, Intruder Alarms, Access Control Devices etc)

During a cyber security due diligence study, the implementation of various security tools and their effectiveness need to be reviewed

ICT Supply Chain Risk Management Practice

A supply chain is a series of activities involved in developing or producing a product or service from supplier or producer to customer. A supply chain includes a channel of distribution beginning with the supplier of materials or components, extending through a manufacturing process to the distributor and retailer, and ultimately to the consumer.

During a cyber security due diligence study, ICT Supply Chain Risks that are potential need to be looked into with careful consideration. ICT supply chain risks may include counterfeits, unauthorized production, tampering, and theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the ICT supply chain. These risks are associated with an organization’s decreased visibility into, and understanding of, how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. ICT products and services might contain vulnerabilities that can present opportunities for ICT supply chain compromises. ICT Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains.

Samples of ICT Supply Chain Risks

The following are considered as major risks faced by organizations in their ICT Supply chain:

  •        Technology Obsolescence
  •        Malware Infection
  •        Supplier introduced defects into the ICT Products supplied.
  •        Supply Risks caused by any interruption in the supply chain.
  •        Environmental risks – Risks happening from outside of the supply chain, usually related to economic, social, governmental, and climate factors, including the threat of terrorism.
  •        Mitigation and contingency risks – Risks caused by not having contingency plans (or alternative ICT solutions and services) in place in case something goes wrong.

The following are some of the effective ICT Supply chain Risk Management Practices adopted by global organizations:

  •        Periodic Risk & Control Self Assessments
  •        Product Security Evaluation
  •        Strong IT Vendor Management Governance
  •        Secured Software Development
  •        Timely and Adequate Threat Intelligence
  •        Incident Management
  •        ICT Continuity Planning
Incident Management Practice

During a cyber security due diligence study, the incident management capability needs to be thoroughly reviewed which will lay down the foundation of cyber security practice in an organization. Incident Management Practice helps organization in monitoring the cyber security threats to the organization and restoring the various IT Services provided to customers from disasters triggered due to the cyber security incidents.

The following are the major components of an ideal Incident Management Program of an organization:

  •        Pre-incident preparation – Taking actions to prepare the organization before occurrence of any cyber security incident.
  •        Detection of incidents – Identifying a potential cyber security incident
  •        Incident response – Performing the initial investigation, recording the basic details about the incident, assembling the incident response team, and educating the individuals who need to know about the incident response flow, Based on the results of all the known facts, determining the best response and obtains management approval.
  •        Forensics Investigation – Collecting incident related data and performing a detailed forensics analysis based on data    collected.
  •        Reporting – Reporting the results of the investigation conducted.
  •        Identifying and Implementing Lessons Learned – Implementing improvements identified from the investigation performed.
  •        Reporting with external bodies – Reporting to external bodies such as regulators

We need to investigate on the cyber security incidents faced by the organization in recent years and the various Incident Response activities taken such as Digital Forensics and Risk Mitigation Measures taken. This is very critical in deciding on how vulnerable the organization for emerging cyber attacks.

ICT Services Continuity Management Practice

During a cyber security due diligence study, the ICT Services Continuity capability of the organization need to be reviewed carefully as this will complement the incident response planning practice of the organization.ICT Services Continuity Management Practice helps an organization in recovering their critical information assets or systems down with unplanned/planned outage caused due to cyber security incidents.

The following critical questions need to be looked into with respect to ICT Services Continuity Practice:

  •        Is there a plan in place to recover information systems when they will become unavailable?
  •        What are the IT Service Continuity objectives (RTO, RPO)?
  •        Is there an IT DR & ICT Services Continuity Management Plan in place?
  •        Are there an IT DR & ICT Services Continuity Management Procedures in place?
  •        Are the IT DR & ICT Services Continuity Management Plan & Procedures being tested in periodic intervals
  •        Were there cyber security incidents happened in the past causing outages of Information Systems?
  •        Was the network suffered any performance issues and outages in most recent times?
  •        Did the organization avail the services of outside experts to investigate outages?
Outsourcing of IT Services

During a cyber security due diligence study, Outsourcing of IT Services needs to be carefully reviewed as connectivity and data sharing in outsourcing relationships could cause massive risks to organization. Organization’s network may easily be compromised, data elements can be leaked, tampered due to lack of adequate authentication and authorization mechanisms. To ensure the data security as a best practice organizations outsourcing their IT Services should have a clause on Right to Audit as part of the contract with their suppliers. This will enable an organization in auditing and ensuring the adequacy of cyber security controls practiced by the suppliers having the critical data elements of the organization in their possession.

Security Operations and Support

During a cyber security due diligence study, Security Operations and Support practice need to be reviewed in line with SLA/OLAs in place. Security Operations and Support will help organizations in ensuring that the emerging cyber security threats are identified and addressed in a timely manner by having the following mechanisms:

  •        Security Incident and Event Management (SIEM) Solution
  •        Setting up & managing SOC (Security Operations Center)
  •        Cyber Security Incident tracking and reporting Practice
  •        Other critical areas to be reviewed in a cyber security due diligence study
  •        Management oversight of Cyber Security Function
  •        Latest Cyber Security Audits & Assessment Reports
  •        Details of Recent Incidents / Intrusions
  •        Information Asset Register
  •        Endpoint Security Controls
  •        Application & Database Security Controls
  •        Identity & Access Management Controls
  •        Network Security Controls
  •        Information Classification Scheme
  •        Data Security Controls
  •        Privacy Controls
  •        Linkages of security function with corporate functions such as HR, Procurement, Risk, Compliance, Internal Audit and Legal
  •        Incident Response Plans & Arrangements with experts
  •        Threat Intelligence Practice
  •        Physical Security Controls
  •        information Asset & Media Handling Procedures
  •        Product & Vendor Security Evaluations performed
  •        Security in Software Development
  •        HR Information Security Controls
  •        Supplier Security Controls
  •        Backup & Recovery Controls
  •        Applicable Regulatory Compliance Mandates related to cyber security (Such as NESA IAS)
  •        Monitoring of Legal Department on Cyber Security Compliance
  •        Patches & Upgrades Testing & Production Rollout
  •        Change Management Controls
  •        Contracts signed with key IT suppliers
  •        Cyber Security Budgets Vs Consumption, ROI Calculations
  •        Details of any complaints, claims, proceedings or litigation relating to the Company’s information security practices
  •        Copies of any cyber insurance or similar insurance policies
  •        Continuous Improvement Activities related to Cyber Security Practice
  •        Professional Affiliations & partnerships with industry forums

Conclusion

Recent survey reports[1],2, 3 from the industry have found that businesses lack qualified cyber security talent during an M&A. According to the study, a majority of companies (80 percent) said cyber security issues have become highly important in the M&A due diligence process. As per the latest report from Bloomberg4, Banks are hiring Cyber-Security Experts to successfully execute Mergers & Acquisition deals. Inadequate cyber security practice shall increase the possibility of cyber security breaches that could negatively impact the entire new organization that will emerge as an outcome of a corporate restructuring initiative. Non addressed vulnerabilities might result in significant cyber security risks. So it is very critical not only to address the key IT Infrastructure and IT Operation Risks, but also the complete gamut of cyber security risks that are potential. This will ensure a good return on the heavy investments of time, money, and effort made in a corporate restructuring initiative.

Endnotes

  1.    Survey from West Monroe Partners, July 12, 2016 (http://www.westmonroepartners.com/Insights/White-Papers/security-survey)
  2.    Survey from global deal makers by Freshfields Bruckhaus Deringer on Cyber Security in M & A (https://www.freshfields.com/globalassets/campaign-landing/cyber-security/ma-cyber-security-report.pdf)
  3.    2016 Survey Report from NYSE Governance Services (https://www.nyse.com/publicdocs/Cybersecurity_and_the_M_and_A_Due_Diligence_Process.pdf)
  4.    “Bankers Are Hiring Cyber-Security Experts to Help Get Deals Done”, bloomberg.com, June 26, 2017 (https://www.bloomberg.com/news/articles/2017-06-26/bankers-are-hiring-security-experts-to-help-get-deals-done)
  5.    What is SABSA (http://www.sabsa.org/node/5)
  6.    ISO/IEC 27000 family – Information security management systems (https://www.iso.org/isoiec-27001-information-security.html)

 

Comments

Please rate this content

Vimal Mani

Vimal Mani is a A Cyber Security & Digital Crime Researcher, Blogger and an Author with progressive experience of 20 years in Banking & Financial Services, Energy, Retail, Healthcare and ICT Sectors. At present, working as Chief Information Security Officer (CISO) for Bank Of Sharjah, UAE.

You May Also Like