logo
 
     
   
 

Cybersecurity Due Diligence

In a merger and acquisition process, one of the crucial steps to carry out is the due diligence exercise. A private acquisition is a transaction where a company acquires another company. The acquiring company is called the buyer. The company that is acquired is called the target company. The target company will typically be a subsidiary of the seller company. The buyer needs to conduct Cybersecurity-Due-Diligence on the target company. This will also include carrying of due diligence on the data privacy of the target company.

Cybersecurity-Due-Diligence is a subset of the due diligence that has to be carried out by the buyer. It is crucial to carry out Cybersecurity-due-diligence to avoid any form of mishaps in the organization.

Package inclusions:
  • Cybersecurity-Due-Diligence Services.
  • Procedure for carrying out due diligence services.
  • Legal framework for the above services.
  • Complete report on due diligence services.
  • Monitoring Future performance and framework related to IT systems in a company.
Income Tax Notice

What is Cybersecurity-Due-Diligence?

Cybersecurity-Due-Diligence is considered as a process of investigating a target company for any cybersecurity and data privacy concerns. This process is conducted to find out if there are any form of cybersecurity related threats in an organization.

Why is Cybersecurity-Due-Diligence carried out?

Cybersecurity-Due-Diligence services are carried out for the following reasons:

  • This is carried out to analyze vulnerable cybersecurity-related threats by using mechanisms such as penetration testing methods.

  • Due diligence would save time and expense for the buyer.

  • Due diligence is carried out to understand the complexities of the target company. If there are any potential threats present in a target company, this can only be understood by carrying out a due diligence exercise.

  • The due diligence process for an organization is crucial, as it determines whether the purchase is viable or not.

  • Due diligence is required to be conducted for the target company to understand information and security protocols followed by the company.

  • The buyer would get a clear picture of the data privacy policies followed by the target company.

  • Overall the due diligence exercise is carried out as an investigation process to determine the prevailing situation in the target company.

Importance of carrying out Cybersecurity-Due-Diligence

A Cybersecurity framework within an organization is crucial to access the risks present in an organization. Hence, from a buyer's perspective in a private acquisition transaction, carrying out cybersecurity-due-diligence is a priority. This due diligence encompasses cyber-related threats, data breaches, confidential, and secret information that is present with the target company. Reputational loss is severe when compared to other forms of loss.

Apart from this, carrying out due diligence would help in the seamless closing of the transaction. Investigating the target company would provide a clear picture to the buyer on the complexities present in the target company.

Relevant Authority for Cybersecurity-Due Diligence

In India, the Information Technology Act, 2000, regulates information technology and cybersecurity.

The Government of India (GOI) has implemented the following regulations:

  • The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013.
  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules, 2011.
  • The Information Technology (Intermediaries guidelines) Rules, 2011.
  • The Personal Data Protection Bill 2018.
  • GDPR - General Data Protection Rules 2018.

Procedure for Cybersecurity-Due-Diligence

In a private acquisition transaction, there are two or more parties. The parties are the buyer, the seller, and the target. It is the buyer's primary responsibility to carry out the due diligence process on the target company. By carrying out the above process, the buyer would know about the inconsistencies present in the company.

The following process is carried out for due diligence:

  • The buyer and the seller (target) have to agree for the acquisition of the target company. During this step, the buyer will negotiate terms with the seller on the price of the transaction, contracts of exclusivity, confidentiality, and other clauses that affect the transaction.
  • Once the terms have been agreed between the parties, the buyer has to approach a third-party consultant. The third-party consultant can be an external consulting firm with expertise in carrying out typical due diligence exercises.
  • TAP GLOBAL cybersecurity-due-diligence and data privacy services would provide a complete investigation into the target company. Apart from this, our experts will classify information based on the amount of risk involved. Due diligence services provided by TAP GLOBAL will make sure your organization does not have any problems to look back on.
  • Once the terms have been decided between the buyer and the third party, an agreement will be drafted between the buyer and the third party. In this agreement, the services provided by the third party will be mentioned. This will include the forms of due diligence carried out by the third-party.
  • When the Due diligence procedure begins, the buyer, the target, and the third party will be involved. During this process, a Due Diligence Questionnaire (DDQ) would be put forth to the seller or target. A Due Diligence questionnaire is a set of questions asked by the buyer. The seller or target has to provide information on the questionnaire.
  • After this is completed, the buyer must research the target. For cybersecurity-due-diligence, the information in the DDQ would be solely based on the cybersecurity protocols followed by the target.
  • Due diligence is required, apart from other forms of due diligence if the target company has some form of online and data presence. Through this, the buyer will come to know if the target company has taken reasonable and prudent steps to protect its data and assets properly.
  • Even if the target company does not have any crucial information on customers or clients, still conducting data privacy due diligence is important. Breach of trade secrets and Intellectual property is devastating to the reputation of the company.
  • An assessment has to be conducted by the buyer on the target if there are cyber-related incidents. In the evaluation, the threats caused because of cyber-related issues must be categorized. All protocols related to security and information control has to be present in the target.
  • In the due diligence exercise, different software would also be tested. The use of penetration systems will be addressed to carry out testing on software. However, this forms part of IT due diligence.
  • The due diligence provider will also check if proper audits are conducted on the company. Informational audits conducted on the company have to be according to the standards prescribed internationally. Hence audits would be according to standards of PCI and ISO 27001.
  • Once the due diligence exercise is completed, potential flaws will come to light . The due diligence exercise would find out issues if the target or the seller company has breached the contract of exclusivity with the buyer. When this occurs, the parties (buyer) can walk out of the due diligence transaction without going ahead any further.
  • The buyer will also have an added advantage of using the Material Adverse Change (MAC) if this has been negotiated between the parties in a due diligence exercise.  If the parties during the negotiation phase have agreed on any form of MAC clause, then the buyer can use this as a benefit and walk out of the agreement. Apart from this, the buyer can sue the seller and the target for breach of contract. However, the buyer's MAC clause can only be utilized if cybersecurity-due-diligence has been included as a possibility.

TAP GLOBAL Approach for Due Diligence

Being an expert in providing due diligence services to organizations, we have implemented our approach for cybersecurity-due-diligence and data privacy services.  Our approach includes the following:

  • Carrying out Phased Evaluation and Risk Assessment

We understand that no organization can be devoid of any threats. These threats may be internal threats and external threats. Internal threats can be in any form, such as software threats and employee information breaches. External threats will include cyber hacking, ransom wares, and criminal threats. Therefore any organization is exposed to a variety of threats. Hence it is essential to devise a full proof method to understand the risks associated with the organization. Once the risks are identified, solutions must be implemented to reduce the amount of risk. This risk assessment process is a crucial step to reduce the amount of informational loss in an organization. 

  • Calculate the Risk

Once the assessment is carried out, we classify the risks and calculate the damage caused by the risk. Each risk is classified based on a particular category. Risks that are quantified as a causing higher loss would be placed in a separate category compared to lesser risks. After classification, we will assess the probability of each risk. If a particular threat comes in an organization, what would be the solution to the problem? Our approach is based on the above. 

  • Develop a Risk Handling Mechanism

Once risks are classified and predicted, we implement a risk handling mechanism that will address all the present and future problems that pose a threat to an organization's cybersecurity framework. By following this approach, your organization can avoid the maximum amount of risks.

Apart from the above approach followed, we constantly strive to update and implement new procedures to handle risks appropriately. 

TAP GLOBAL Benefits

  • TAP GLOBAL is a recognized management consultant in providing due diligence services.
  • We have experience in the IT due diligence process, which will help your organization.
  • Experts at TAP GLOBAL have conducted due diligence exercises with the primary objective of adding value to your organization.
  • We have Multifaceted teams of professionals comprising Chartered Accountants, IT professionals, lawyers, and company secretaries.
  • We have extensive experience in handling matters related to mergers, taxation, and accounting matters in India.

How to reach TAP GLOBAL for Cybersecurity-Due-Diligence and Data Privacy Services

Fill The Form

Get a Callback

Submit Document

Track Progress

Get Deliverables

Frequently Asked Questions

Cybersecurity Due diligence would cover aspects related to cybersecurity threats such as information breaches, data hacks, viruses in an organization. This due diligence would emphasize if the target company has any form of cyber-related threats. IT due diligence is a vast area of due diligence and covers IT security threats and the general IT infrastructure of the company.

An example of an information breach due to lack of proper due diligence is the acquisition of Starwood Hotels by Marriot Group. Marriot's due diligence provider did not carry out proper due diligence, which lead to information breaches of 400 million customers of Starwood Hotels. This breach included tourists from the European Union as well as the UK. The Information Commissioners Office (ICO), the United Kingdom's data privacy authority, had imposed a heavy fine on the Marriot group.

The following personnel is qualified to conduct due diligence in an organization:

• Investment Banks;

• Consulting Firms;

• Accounting Firms;

• Law Firms; and

• IT Consulting Firms.

A company established in India would have to carry out the compliances as per the law in India. However, if an Indian company is situated in the EU, and then compliance must be adhered to as per the GDPR policy. This is applicable if the Indian company has EU customers and processes information on their behalf.

following educational qualifications are required to enroll as a valuer:

• Sensitive Data

Includes personal information such as name, age, and address, health-related data, or any form of biometric data.

• Non-Sensitive Data

Non-Sensitive data is information that is not classified as sensitive data. A company, while processing sensitive data, has to be more cautious. Consent from the respective customers is required while processing sensitive data. This is not required when processing non-sensitive data.

Due care is the process in which sufficient security and IT measures are present. Due diligence identifies the measures used by an organization to avoid threats related to cybersecurity.