17 TECHNICAL CONTROLS FOR EFFECTIVE M&A DUE DILIGENCE - BY TOM BRENNAN

Published in CPO Magazine  April 6th 2022
​
Post-COVID, a growing number of mid-sized businesses are merging with and acquiring other companies to adapt, grow and expand. This process takes a tremendous amount of preparation and research. From business financials and intellectual property to contracts and tax issues, there is much to be done to help ensure a successful M&A transaction.

Among top considerations during the M&A process should be your technical controls. In specific, you need to pay close attention to the software bill of materials (SBOM), and several other vital areas of your technology-enabled business. If the target organization cannot demonstrate technical maturity, it will be score lowered and may ultimately see a reduced acquiring offer or be a deal-breaker altogether.
During the due diligence process, be prepared to present and describe your software-based technology product with documentation. What is expected during a technical due diligence review is architectural diagrams, scalability, and performance metrics. Technology choices made, including programming languages, databases, and infrastructure choices, will be reviewed. Your key staff must also be able to describe any software development practices and provide details on continuous deployment environments..

In particular, a review of the OWASP Top 10 2021 List is recommended. Be certain that you are able to answer questions about how you ensure code quality in a hostile internet-connected environment and perform an independent third party code audit

---

Depending on the reason for the merger or acquisition, it could be equally important to have technical controls in place for the operations side of the business. Here it’s important to evaluate how data is processed in 17 key areas:

1. Access Controls focus on identifying and limiting the people and other entities allowed to access your systems. These controls also involve limiting the types of functions and transactions that those authorized users can perform.
2. Asset Management includes requirements for managing services and devices that store or interact with your data, whether on your network or hosted in the cloud.
3. Awareness and Training helps to demonstrate that the business has a training program for their staff, contractors, and vendors so that they are equipped to report and overcome threats they may encounter.
4. Audit and Accountability for all actions is necessary. Your business should have controls in place to track individual users’ activities, as well as various system activities.
5. Security Assessments.  Most organizations do not have an annual program to assess testing to make sure your system security plans are working. CREST can share lists and resources regarding International accredited service providers. For more information check out the Service Selection Platform.
6. Configuration Management lists the requirements for creating baseline configurations and inventories, as well as making actual changes to those systems. It also requires that your organization monitors for any unapproved changes that might occur.
7. Identification and Authentication is similar to Domain Access Controls in that they are focused on user access. However, in this case, the emphasis is on ensuring the person using an account is indeed the correct user.
8. Incident Response demonstrates that the organization has controls over, and has plans in place to anticipate security incidents. This also specifies what their response will be if any incidents occur.
9. Maintenance is based on the premise that all computer systems are vulnerable to failure at some point. That means your business should protect critical systems and data against vulnerabilities in the instance of a system failure. There should be a regular process of monitoring and re-evaluating how your security and backups are doing.
10. Media Protection covers the use of removable media to store data, including both electronic storage devices and paper. Storing information on removable media can be dangerous and leave you vulnerable, so it must be carefully controlled, and encrypted.
11. Physical Protections should be considered along with technological protections. Ask yourself, “How difficult would it be for someone to walk into my business and steal the hardware with its data?” This should be a good base for what is needed to secure your property.
12. Personnel Security asks if your business screens employees before allowing them to gain access to systems containing controlled unclassified information (CUI). It should also be considered that when an employee is transferred or terminated, and is no longer authorized to access data, how does your business plan to protect that data For example, what is your off-boarding process like? Are you organized with logs of who does and does not have access to your systems?
13. Recovery means regularly backing up your data. This is absolutely critical for preventing unnecessary data losses.
14. Risk Management demonstrates the maturity of the business. Have risk assessments of your data and systems taken place? What were the findings and corrective actions?
15. Situational Awareness. Organizations need to take intelligence regarding cyber threats from external sources seriously and respond to them appropriately. You should always have some level of awareness regarding your business and its security.
16. Systems and Communications Protection includes an extensive list of controls focused on securing the transmission of information within a system. It also prohibits the sharing of CUI on public forums. This might show itself in the encryption of emails and data loss prevention.
17. System and Information Integrity is the proactive monitoring for issues and then the  prompt application of security patches as needed. Demonstration of this process is defined as a policy, a procedure, and staff task assignments.

Remember – confidentiality, integrity and availability are important items of consideration for your technology choices from day one. Be certain to use company that has been accredited to perform valuable third-party assessments with proven policies, processes and procedures to validate your technology and environment. With a credible third-party validation of your technical maturity, you can ensure that the technical elements of your due diligence will enhance acquisition offers and simplify the integration process. 

For more information, contact us on how we can help you be proactive.

MeasureRISK Services