In today’s world, many of the key assets that make a business attractive for a merger or acquisition – like intellectual property or customer information – are digital. As M&A activity returns to pre-pandemic levels, and with the potential for unforeseen events to affect the value of a deal, it makes sense to measure and manage the potential risks to important digital assets.
Experts from C-Risk and RiskLens took part in a webinar discussion aimed at shedding light on how to avoid common pitfalls and more effectively assess controls and their effect on cyber risk. This was the second in a three-part series of webinars under the theme of calculating cyber risk in financial terms.
Jacqueline Lebo, a senior risk consultant with RiskLens LLC who specialises in cybersecurity and privacy in the healthcare sector, says evaluating security controls can be a “massive undertaking” and it’s not practical or possible to do this in a finite amount of time – such as during a due diligence process. That’s why it’s essential to focus on what’s most important.
"You can boil the ocean and understand every single risk, or you can prioritise," she says. It’s important to establish a baseline understanding of a company’s security. Some large healthcare organisations are already using Cyber Risk Quantification (CRQ) to understand their M&A activity, Jacqueline Lebo adds.
CRQ is a way to measure risk in financial terms that helps businesses to define and model controls, mapping them to cyber risk scenarios.
“Having the CRQ component to be able to compare rather than a high/medium/low critical risk, on what the potential for loss is, is really helpful in being able to make more informed decisions,” says Zack Sumney, senior risk consultant with RiskLens, a specialist in quantifying enterprise risk.
Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter, says that a quantified view of controls can help in assessing and managing the cyber risk related to M&A. It’s valuable both in pre-acquisition and post-acquisition M&A situations by avoiding an unnecessarily broad examination of the entire controls landscape in favour of focusing on key assets and risk scenarios.
The full 51-minute webinar is available to watch back free on the C-Risk website, where you’ll learn best practice tips for assessing security controls during M&A activity:
The webinar also includes sample real-world scenarios from sectors such as healthcare and high-end luxury retail. This covered valuable tips to assess the cyber risk of an acquired company, such as:
related to cybersecurity and Cyber Risk Quantification (CRQ)
