Page 150 - Cyber Defense eMagazine RSAC Special Edition 2025
P. 150

1.  Assessments of Security Framework

            The first step in cybersecurity due diligence is evaluating the target company’s security framework to
            determine its overall cybersecurity practices. This assessment should cover:

               •  Compliance  Standards:  Assess  whether  the  company  adheres  to  specific  regulatory
                   requirements such as General Data Protection Regulation (GDPR), Health Insurance Portability
                   and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), Payment Card Industry
                   Data Security Standard (PCI DSS) and National Institute of Standards and Technology (NIST)
                   frameworks. The applicable requirements will vary based on the company’s industry, products,
                   services, and data collection and usage practices, among other factors.
               •  Incident  Response  Plans:  Review  the  company’s  incident  response  capabilities,  including
                   documented  processes,  and  response  teams,  as  well  as  how  those  capabilities  were
                   implemented during (and updated since) past breach history.
               •  Security  Infrastructure:  Evaluate  existing  security  controls,  including  firewalls,  intrusion
                   detection  systems  (IDS),  encryption  protocols  and  endpoint  protection  mechanisms.  The
                   infrastructure will likely include functionality controlled by the company and products and services
                   provided by third parties.
               •  Vulnerability Management: Analyze the company’s approach to patch management, software
                   updates and vulnerability assessments to determine whether it follows best practices.
               •  Third-Party  Risk  Management:  Determine  how  the  company  manages  cybersecurity  risks
                   posed by vendors, suppliers and partners with access to its systems.
               •  Penetration  Testing  and  Audits:  Review  the  company’s  history  of  penetration  testing  and
                   security  audits  to  gauge  the  robustness  of  its  defenses.  These  tests  and  audits  will  include
                   recommendations  from  the  auditors;  however,  companies  frequently  do  not  implement  all
                   recommendations. Additionally, tests that were conducted several years prior to the acquisition
                   may not adequately address the current state of cybersecurity needs and concerns and may not
                   offer much valuable to the acquirer’s review.
               •  Cyber Insurance Coverage: Determine whether the company has cyber insurance and assess
                   the terms, limitations and coverage of potential cyber-related incidents. The acquirer likely will not
                   be able to assume the coverage after closing of the acquisition; however, the target company
                   might be able to extend its preclosing coverage by utilizing a tail policy.



            2. Reviews of Data Management Policies

            Data is a very valuable asset in many organizations, regardless of industry, and the acquirer should
            include it as a focus in M&A due diligence. A thorough review of data management policies should focus
            on:

               •  Data Collection, Use and Transfer: Examine how data is collected, stored, used and transmitted
                   within the company.







                                                                                                            150
   145   146   147   148   149   150   151   152   153   154   155