Managing cybersecurity risk in mergers & acquisitions

M&A Webinar Highlights

Experts from C-Risk and RiskLens (now part of Safe Security) took part in a webinar discussion aimed at shedding light on how to avoid common pitfalls and more effectively assess controls and their effect on cyber risk. This was the second in a three-part series of webinars under the theme of calculating cyber risk in financial terms.

‍

Jacqueline Lebo, a senior risk consultant with RiskLens LLC, who specializes in cybersecurity and privacy in the healthcare sector, says evaluating security controls can be a “massive undertaking” and it’s not practical or possible to do this in a finite amount of time – such as during a due diligence process. That’s why it’s essential to focus on what’s most important.

"You can boil the ocean and understand every single risk, or you can prioritize," she says. It’s important to establish a baseline understanding of a company’s security. Some large healthcare organizations are already using Cyber Risk Quantification (CRQ) to understand their M&A activity.

‍

CRQ is a way to measure risk in financial terms that helps businesses to define and model controls, mapping them to cyber risk scenarios.

“Having the CRQ component to be able to compare rather than a high/medium/low critical risk, on what the potential for loss is, is really helpful in being able to make more informed decisions,”

says Zack Sumney, senior risk consultant with RiskLens, a specialist in quantifying enterprise risk.

‍

Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter, says that a quantified view of controls can help in assessing and managing the cyber risk related to M&A. It’s valuable both in pre-acquisition and post-acquisition M&A situations by avoiding an unnecessarily broad examination of the entire controls landscape in favor of focusing on key assets and risk scenarios.