Cybersecurity has emerged as a key risk factor to be weighed during the due diligence process of any merger and acquisition. How should organizations on both sides approach the process? Steve Chabinsky of CrowdStrike shares his thoughts on strategy for assessing cyber risk during the M&A due diligence process.
CrowdStrike regularly consults with organizations going through M&A due diligence, and there is a wide range of cybersecurity items to sort through, says Chabinsky, general counsel and Chief Risk Officer.
"Risk can span a pretty wide gamut in this area," he says. "Depending on the type of company to be purchased, they could have regulatory requirements that are or are not being met. Or perhaps the company already experienced a breach that required that they provide notification, but they failed to give that notice - so that's something that you'd want to look for."
At the same time, a target company could unknowingly be the victim of a "low and slow" data leak to an external hacker looking to exploit intellectual property. Or maybe the organization is about to be seized up by ransomware.
"Knowing these things in advance of an acquisition - it provides the purchaser with the ability to factor [them] into a final price or perhaps have the target company take steps to correct them prior to an acquisition."
In an interview on cybersecurity during an M&A, Chabinsky discusses:
- How organizations on both sides can prepare for due diligence;
- Key risk factors on which to focus;
- Potential cybersecurity deal-breakers.
Chabinsky is General Counsel and Chief Risk Officer for cybersecurity technology firm CrowdStrike, the cyber columnist for Security magazine, and a member of the President's Commission on Enhancing National Cybersecurity. He previously served as Deputy Assistant Director of the FBI's Cyber Division.