Cybersecurity and data privacy concerns are an area of increasing legal and regulatory risk for all companies. This Grant Thornton memo says that buyers should develop an “M&A cybersecurity playbook,” an “M&A cybersecurity framework,” and an “M&A cybersecurity plan” in order to appropriately address the issues that may arise during the lifecycle of an M&A transaction.
The memo says that a cybersecurity playbook’s purpose is to help companies successfully identify and monitor these risks in an ongoing and repeatable way as part of their M&A activities. A cybersecurity framework provides a template for cybersecurity integration, while a cybersecurity plan leverages the M&A cybersecurity playbook and framework to plan both tactical and strategic actions during the M&A process. This excerpt lays out the type of tactical & strategic actions encompassed by a sample cybersecurity plan:
– Specific cybersecurity threat monitoring must begin on day one and continue for at least the first phase of the merger or acquisition.
– The due diligence risk assessment feeds into remediation of the high-risk issues, followed by remediation of the medium-risk and low-risk issues if needed.
– A compromise assessment provides important input for identifying and isolating potential incidents and taking immediate actions to address them.
– A comparative analysis of cybersecurity capabilities will inform the cybersecurity consolidation, business solution migration and subsequent support.
– The cybersecurity integration strategy forms an important foundation for integrating cybersecurity policies, processes, and suppliers.
– The target operating model for cybersecurity, once designed and established, will implement a one-team approach in supporting the cybersecurity program going forward with defined performance metrics and control monitoring.
– John Jenkins