I know a company that acquired a business and soon regretted it — even though all their discovery information was correct. They crossed all their Ts and dotted their Is on virtually everything you can imagine. There was just one area they neglected to look into more deeply, and it bit them in the butt.
The organization assumed the acquired company’s security and compliance program was up to snuff, and it wasn’t. An auditor had generated annual compliance paperwork, so the acquiring company assumed that everything was fine. In fact, it was far from fine.
It’s shockingly common during a merger and acquisition for companies to cut corners investigating whether their target company is taking security and compliance seriously. In a recent study, a full 56 percent of legal advisers regretted doing too little compliance investigation before an acquisition.
The result is often more expensive than you might expect. For the past year, the organization has had an entire team of personnel dedicated full-time to the clean-up effort. They’re still working on getting everything in place, and the total costs are increasing every day.
But the long term costs are yet to be determined. If any data breaches are discovered, the costs could be as much as $3.86 million per breach.
If you’re embarking toward M&A activities, you can avoid the mess this organization is going through. Follow a few basic steps while you’re conducting your cost analysis, and you’ll put yourself in a good position to help avoid unpleasant surprises.
How to Investigate Your Target Acquisition
Before you put ink to paper, request several reports. Make sure to receive the latest internal versions of these reports, noting their dates. Start with the following items:
- Audit reports
- Penetration testing reports (external and internal)
- Vulnerability scans
- Risk assessment
Normally, I advise clients never to release the internal workings of their compliance program to third parties — even under NDA. But in this scenario, the two organizations require a much deeper level of sharing and understanding. Your acquisition target must be absolutely clear in their responses to specific inquiries. They need to share more than they otherwise would be expected to do.
Ask key questions
When you start to review the security and compliance landscape, there’s key information you need to know. Ask:
- What compliance standards are you subject to?
- What are you compliant with?
- Are you using a third party for compliance?
- Who is the third party?
- What certifications do you have?
- Which clients contractually require adherence to which compliance standards?
Compare the answers to these questions against the compliance reporting you received, and evaluate the type of business you’re investigating against the compliance that standards make sense for the type pf company.
Check out their assessors
Do some research on their assessors, as well — not every assessor is a good assessor. Do your due diligence on the people who should be doing their due diligence on this company. Just because someone creates a report, that doesn’t mean it’s trustworthy. Find out their position in the marketplace, and if they have a good reputation.
Dig into the reports
As you dig into the reports, look for some key elements:
- Any deviations or exceptions in the compliance reports. In this organization’s case, the one report that had been produced contained a series of deficiencies. That should have been a big red flag.
- Consider the certification at hand. For example, PCI is very prescriptive. If you have a reputable assessment firm that signs off on a highly prescriptive certification, you can have a higher level of confidence. But HIPAA and SOC are much more open-ended, and you can define many of your own controls. In those cases, it’s wise to scrutinize the reports and associated controls more closely to determine how strong the compliance program truly is.
- Review their latest risk assessment, noting the nature of the findings on the report and whether they appear to be in alignment with the compliance maturity of the company you’re considering. What actions is the organization taking to mitigate those risks?
- Ask for a copy of their latest penetration testing report. Notice who did the test, how they approached testing, what was the scope, and when it was done. Ideally, it should be within the last three months.
The approach to the penetration testing is important. You’ll find companies that range from doing a hands-off scan with an automated tool, all the way to ninjas dropping from the ceiling and running around your facility with wireless antennas. Most organizations desire a sensible middle ground. You don’t want a testing company who simply does an automated scan, because they aren’t performing manual testing or living up to industry standard approaches to penetration testing.
If the target company doesn’t have a recent quality penetration testing report, request both an internal and external vulnerability scan report (covering appropriate scope) — something within the last month or so.
What If Something Isn’t Right?
What if you encounter one of these scenarios during the discovery phase?
- The target company doesn’t have any third-party assessment.
- They don’t put themselves up against a compliance standard.
- They’ve done their own assessments internally.
- No recent security testing
- Open or troubling findings on security testing or risk assessment
That doesn’t necessarily mean you should back out of the M&A, but you definitely should get an objective third party to do a review before you make an acquisition decision. Have the target acquisition company cover the costs of the review, because they’ll be better off for it whether you acquire them or not.
If you get a bad vibe from the third party review, or something feels off in the report, start digging deeper. Ask more questions and follow the trails. Trust your gut.
If you decide to acquire the company and they’ve never properly achieved compliance, expect that it could cost a lot of money to bring the organization up to speed. Be prepared for potentially significant investments of time, personnel, and money.
Due Diligence Done Easy
When you acquire a company, you’re signing up to take over an organization and become responsible for it. Whatever state it’s in, whatever vulnerabilities or issues it presently has, you’ll have to bear those consequences. Do your due diligence to have a better idea what you’re in for, because you’ll inherit all their deficiencies, and you’ll foot the bill for any data breaches and compliance cleanup.
Total Compliance Tracking can make your compliance due diligence simpler and more streamlined. Eliminate the painful toil of manual compliance management with TCT Portal, using the system for ongoing maintenance of security/compliance standards for your existing companies and your new acquisitions.