Managing cybersecurity risk in mergers & acquisitions

In today’s world, many of the key assets that make a business attractive for a merger or acquisition – like intellectual property or customer information – are digital. As M&A activity returns to pre-pandemic levels, and with the potential for unforeseen events to affect the value of a deal, it makes sense to measure and manage the potential risks to important digital assets.


Christophe Forêt

An article from

Christophe Forêt
President and co-founder of C-Risk
Published
October 4, 2023
Updated
October 11, 2024
Reading time
minutes
quantifying M&A activities - C-Risk

Experts from C-Risk and RiskLens took part in a webinar discussion aimed at shedding light on how to avoid common pitfalls and more effectively assess controls and their effect on cyber risk. This was the second in a three-part series of webinars under the theme of calculating cyber risk in financial terms.

Jacqueline Lebo, a senior risk consultant with RiskLens LLC who specializes in cybersecurity and privacy in the healthcare sector, says evaluating security controls can be a “massive undertaking” and it’s not practical or possible to do this in a finite amount of time – such as during a due diligence process. That’s why it’s essential to focus on what’s most important.

"You can boil the ocean and understand every single risk, or you can prioritize," she says. It’s important to establish a baseline understanding of a company’s security. Some large healthcare organizations are already using Cyber Risk Quantification (CRQ) to understand their M&A activity, Jacqueline Lebo adds.

CRQ is a way to measure risk in financial terms that helps businesses to define and model controls, mapping them to cyber risk scenarios.

“Having the CRQ component to be able to compare rather than a high/medium/low critical risk, on what the potential for loss is, is really helpful in being able to make more informed decisions,” says Zack Sumney, senior risk consultant with RiskLens, a specialist in quantifying enterprise risk.

Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter, says that a quantified view of controls can help in assessing and managing the cyber risk related to M&A. It’s valuable both in pre-acquisition and post-acquisition M&A situations by avoiding an unnecessarily broad examination of the entire controls landscape in favor of focusing on key assets and risk scenarios.

Build your organization's cyber resilience with Cyber Risk Quantification

Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience.

The full 51-minutes webinar is available to watch back free on the C-Risk website, where you’ll learn best practice tips for assessing security controls during M&A activity:

  • Identify what will be the most valuable assets in a post-acquisition operating model
  • Build risk scenarios around those key assets and focus on the financial impact
  • Scope scenarios properly to understand what the potential loss would be
  • Understand the acquisition strategy to see what decisions the risk assessment supports
Best practice tips for assessing security controls during M&A activity

The webinar also includes sample real-world scenarios from sectors such as healthcare and high-end luxury retail. This covered valuable tips to assess the cyber risk of an acquired company, such as:

  • During due diligence, assess if there is a lot of legacy technology and establish how that fits into the security control landscape
  • How much is the risk you are acquiring with this legacy tech?
  • Do you need to renegotiate terms or account for this?

In this article
Improve decision-making with Cyber Risk Quantification

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.