What is Cybersecurity-Due-Diligence?
Cybersecurity-Due-Diligence is considered as a process of investigating a target company for any cybersecurity and data privacy concerns. This process is conducted to find out if there are any form of cybersecurity related threats in an organization.
Why is Cybersecurity-Due-Diligence carried out?
Cybersecurity-Due-Diligence services are carried out for the following reasons:
This is carried out to analyze vulnerable cybersecurity-related threats by using mechanisms such as penetration testing methods.
Due diligence would save time and expense for the buyer.
Due diligence is carried out to understand the complexities of the target company. If there are any potential threats present in a target company, this can only be understood by carrying out a due diligence exercise.
The due diligence process for an organization is crucial, as it determines whether the purchase is viable or not.
Due diligence is required to be conducted for the target company to understand information and security protocols followed by the company.
The buyer would get a clear picture of the data privacy policies followed by the target company.
Overall the due diligence exercise is carried out as an investigation process to determine the prevailing situation in the target company.
Importance of carrying out Cybersecurity-Due-Diligence
A Cybersecurity framework within an organization is crucial to access the risks present in an organization. Hence, from a buyer’s perspective in a private acquisition transaction, carrying out cybersecurity-due-diligence is a priority. This due diligence encompasses cyber-related threats, data breaches, confidential, and secret information that is present with the target company. Reputational loss is severe when compared to other forms of loss.
Apart from this, carrying out due diligence would help in the seamless closing of the transaction. Investigating the target company would provide a clear picture to the buyer on the complexities present in the target company.
Relevant Authority for Cybersecurity-Due Diligence
In India, the Information Technology Act, 2000, regulates information technology and cybersecurity.
The Government of India (GOI) has implemented the following regulations:
- The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.
- The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011.
- The Information Technology (Intermediaries guidelines) Rules, 2011.
- The Personal Data Protection Bill 2018.
- GDPR – General Data Protection Rules 2018.
Procedure for Cybersecurity-Due-Diligence
In a private acquisition transaction, there are two or more parties. The parties are the buyer, the seller, and the target. It is the buyer's primary responsibility to carry out the due diligence process on the target company. By carrying out the above process, the buyer would know about the inconsistencies present in the company.
The following process is carried out for due diligence:
- The buyer and the seller (target) have to agree for the acquisition of the target company. During this step, the buyer will negotiate terms with the seller on the price of the transaction, contracts of exclusivity, confidentiality, and other clauses that affect the transaction.
- Once the terms have been agreed between the parties, the buyer has to approach a third-party consultant. The third-party consultant can be an external consulting firm with expertise in carrying out typical due diligence exercises.
- Enterslice cybersecurity-due-diligence and data privacy services would provide a complete investigation into the target company. Apart from this, our experts will classify information based on the amount of risk involved. Due diligence services provided by Enterslice will make sure your organization does not have any problems to look back on.
- Once the terms have been decided between the buyer and the third party, an agreement will be drafted between the buyer and the third party. In this agreement, the services provided by the third party will be mentioned. This will include the forms of due diligence carried out by the third-party.
- When the Due diligence procedure begins, the buyer, the target, and the third party will be involved. During this process, a Due Diligence Questionnaire (DDQ) would be put forth to the seller or target. A Due Diligence questionnaire is a set of questions asked by the buyer. The seller or target has to provide information on the questionnaire.
- After this is completed, the buyer must research the target. For cybersecurity-due-diligence, the information in the DDQ would be solely based on the cybersecurity protocols followed by the target.
- Due diligence is required, apart from other forms of due diligence if the target company has some form of online and data presence. Through this, the buyer will come to know if the target company has taken reasonable and prudent steps to protect its data and assets properly.
- Even if the target company does not have any crucial information on customers or clients, still conducting data privacy due diligence is important. Breach of trade secrets and Intellectual property is devastating to the reputation of the company.
- An assessment has to be conducted by the buyer on the target if there are cyber-related incidents. In the evaluation, the threats caused because of cyber-related issues must be categorized. All protocols related to security and information control has to be present in the target.
- In the due diligence exercise, different software would also be tested. The use of penetration systems will be addressed to carry out testing on software. However, this forms part of IT due diligence.
- The due diligence provider will also check if proper audits are conducted on the company. Informational audits conducted on the company have to be according to the standards prescribed internationally. Hence audits would be according to standards of PCI and ISO 27001.
- Once the due diligence exercise is completed, potential flaws will come to light . The due diligence exercise would find out issues if the target or the seller company has breached the contract of exclusivity with the buyer. When this occurs, the parties (buyer) can walk out of the due diligence transaction without going ahead any further.
- The buyer will also have an added advantage of using the Material Adverse Change (MAC) if this has been negotiated between the parties in a due diligence exercise. If the parties during the negotiation phase have agreed on any form of MAC clause, then the buyer can use this as a benefit and walk out of the agreement. Apart from this, the buyer can sue the seller and the target for breach of contract. However, the buyer's MAC clause can only be utilized if cybersecurity-due-diligence has been included as a possibility.
Enterslice Approach for Due Diligence
Being an expert in providing due diligence services to organizations, we have implemented our approach for cybersecurity-due-diligence and data privacy services. Our approach includes the following:
Carrying out Phased Evaluation and Risk Assessment
We understand that no organization can be devoid of any threats. These threats may be internal threats and external threats. Internal threats can be in any form, such as software threats and employee information breaches. External threats will include cyber hacking, ransom wares, and criminal threats. Therefore any organization is exposed to a variety of threats. Hence it is essential to devise a full proof method to understand the risks associated with the organization. Once the risks are identified, solutions must be implemented to reduce the amount of risk. This risk assessment process is a crucial step to reduce the amount of informational loss in an organization.
Calculate the Risk
Once the assessment is carried out, we classify the risks and calculate the damage caused by the risk. Each risk is classified based on a particular category. Risks that are quantified as a causing higher loss would be placed in a separate category compared to lesser risks. After classification, we will assess the probability of each risk. If a particular threat comes in an organization, what would be the solution to the problem? Our approach is based on the above.
Develop a Risk Handling Mechanism
Once risks are classified and predicted, we implement a risk handling mechanism that will address all the present and future problems that pose a threat to an organization's cybersecurity framework. By following this approach, your organization can avoid the maximum amount of risks.
Apart from the above approach followed, we constantly strive to update and implement new procedures to handle risks appropriately.
- Enterslice is a recognized management consultant in providing due diligence services.
- We have experience in the IT due diligence process, which will help your organization.
- Experts at Enterslice have conducted due diligence exercises with the primary objective of adding value to your organization.
- We have Multifaceted teams of professionals comprising Chartered Accountants, IT professionals, lawyers, and company secretaries.
- We have extensive experience in handling matters related to mergers, taxation, and accounting matters in India.