M&A Webinar Highlights
Experts from C-Risk and RiskLens (now part of Safe Security) took part in a webinar discussion aimed at shedding light on how to avoid common pitfalls and more effectively assess controls and their effect on cyber risk. This was the second in a three-part series of webinars under the theme of calculating cyber risk in financial terms.
Jacqueline Lebo, a senior risk consultant with RiskLens LLC, who specializes in cybersecurity and privacy in the healthcare sector, says evaluating security controls can be a “massive undertaking” and it’s not practical or possible to do this in a finite amount of time – such as during a due diligence process. That’s why it’s essential to focus on what’s most important.
"You can boil the ocean and understand every single risk, or you can prioritize," she says. It’s important to establish a baseline understanding of a company’s security. Some large healthcare organizations are already using Cyber Risk Quantification (CRQ) to understand their M&A activity.
CRQ is a way to measure risk in financial terms that helps businesses to define and model controls, mapping them to cyber risk scenarios.
“Having the CRQ component to be able to compare rather than a high/medium/low critical risk, on what the potential for loss is, is really helpful in being able to make more informed decisions,”
says Zack Sumney, senior risk consultant with RiskLens, a specialist in quantifying enterprise risk.
Tom Callaghan, Co-founder of C-Risk and co-chair of the FAIR Institute Paris chapter, says that a quantified view of controls can help in assessing and managing the cyber risk related to M&A. It’s valuable both in pre-acquisition and post-acquisition M&A situations by avoiding an unnecessarily broad examination of the entire controls landscape in favor of focusing on key assets and risk scenarios.
Build your organization's cyber resilience with Cyber Risk Quantification
Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience.
The full webinar is available to watch for free. You’ll learn best practice tips for assessing security controls during M&A activity:
- Identify what will be the most valuable assets in a post-acquisition operating model
- Build risk scenarios around those key assets and focus on the financial impact
- Scope scenarios properly to understand what the potential loss would be
- Understand the acquisition strategy to see what decisions the risk assessment supports
The webinar also includes sample real-world scenarios from sectors such as healthcare and high-end luxury retail. This covered valuable tips to assess the cyber risk of an acquired company, such as:
- During due diligence, assess if there is a lot of legacy technology and establish how that fits into the security control landscape
- How much is the risk you are acquiring with this legacy tech?
- Do you need to renegotiate terms or account for this?
Watch the replay of the webinar: here.
Cyber Due Diligence
Cyber due diligence has become a critical element of the mergers and acquisitions (M&A) process. As cybersecurity risks grow, both acquiring and target companies must assess potential vulnerabilities that could impact the deal’s success, financial valuation, and post-integration operations.
A company’s cybersecurity vulnerabilities can create significant financial, legal, and reputational risks. For example, post-acquisition, if the target company is vulnerable to cyber threats, those risks will transfer to the acquiring company. Cyber due diligence helps assess and mitigate potential vulnerabilities before finalizing a deal. There are also other vulnerabilities such as third-party risk. It is also critical to assess the target company’s relationships with vendors, partners, and other third parties, as their cybersecurity standards could impact the overall risk profile.
Having experienced partners like C-Risk experts by your side during critical processes like M&A or overall cybersecurity strategy development can enable informed decisions. Their expertise ensures that you make defendable decisions—those based on solid risk assessments, regulatory compliance, and alignment with your business's specific risk appetite. C-Risk Consulting & Advisory services offer specialized support for critical projects, including cyber due diligence for M&A.
We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.
