As the newest addition to the due diligence process, cyber audits come in all shapes and sizes. Here are the main 4 components, along with accompanying case studies.
While due diligence is most commonly associated with M&A transactions, most investment vehicles (including PE/VC firms), lenders (such as banks or government funds), and insurers rely on similar processes to assess potential risks. And as cybercrimes continue to grow increasingly more commonplace and costly, it's important to understand the various options currently available for cyber due diligence.
Part 1: The VAPT
Vulnerability Assessment and Penetration Testing is usually the first step in any cyber due diligence process. This will identify most existing vulnerabilities and provide a roadmap for mitigation. Many VAPT providers, like Silent Breach, will issue a holistic cybersecurity rating, which can be used as a rule of thumb moving forward.
Case Study: San Francisco-based hedge fund, Muddy Waters Capital, made headlines when it announced a critical security flaw in pacemakers and other medical devices manufactured by St Jude Medical. In response, St Jude's stock (which Muddy Waters had unsurprisingly shorted) tanked 10% in intraday trading, helping the fund finish the year with a 16 percent gain. It wasn't long before other funds partnered with cybersecurity experts to hunt for similar flaws in everything from chip manufacturers to airline operators.
Part 2: Dark Web
While the VAPT will reveal any existing network or application vulnerabilities, a dark web assessment will identify whether or not a past breach took place. This will be done by crawling the dark web, as well as any relevant sites, repositories, and databases, to identify any leaked information that could be tied to the company under review.
Case Study: Back in 2015, Yahoo faced a 7% stock devaluation due to two massive data breaches. Incidentally, this took place while Yahoo was in the process of being sold to Verizon; a plan which was very nearly derailed following the disclosure of the breaches. While Verizon did ultimately follow through on the deal, it trimmed $350 million off the price tag.
Part 3: Risk Profiling
Aside from assessing current vulnerabilities and past breaches, it's important to step back and review the company's cybersecurity posture as a whole. For example, the National Institute of Technology (NIST) puts out a Cyber Security Framework (CSF) which is designed to guide organizations in assessing their ability to prevent, detect, and respond to cyberattacks.
During a Cyber Risk Assessment, you (or a trusted partner) will review the company's org structure, documentation, business practices, tech stack, and other resources in order to determine the present level of their overall organizational cyber preparedness.
Case Study: The recent SolarWinds hack provides a good example. What began as a more or less contained exploit was eventually able to spread to Microsoft and then throughout much of the US federal government, all in a matter of months. The longer that a breach remains undetected, the more likely it is that the hackers will be able to pivot, both vertically and horizontally, to infect related networks and applications. Now consider that it takes an average company in the US 197 days to detect a security breach. Brand reputation, customer loyalty, and employee morale are highly impacted by poorly handled hacks, and are often far more difficult to recover from than the technical breach itself.
Step 4: Regulatory Compliance
Data privacy and other regulations vary widely based on industry and location, so it's important that the regulatory review be conducted accordingly. For example, companies working in the medical industry or with offices in Europe will have to conform to stricter regulations (HIPAA and GDPR respectively), while those working in non-sensitive industries and locales will get by with a straightforward compliance review.
Case Study: Ever since the Cambridge Analytica scandal, Facebook's privacy policies and practices have been under intense scrutiny. But even more than the massive hit this has taken on their reputation, Facebook is also suffering a loss in the place that matters most to investors: their wallet. Facebook estimated that it will eventually pay $3 to $5 billion in payouts to the FEC, who is currently investigating their data privacy practices.
Conclusion: How Silent Breach Can Help
Each step in the due diligence process requires resources, attention, and most importantly, time. In a high-value deal, the time to conduct background due diligence is often limited due to competition from multiple potential buyers. This is why we've developed Quantum Armor, our next-generation attack surface management platform.
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.
Quantum Armor provides real-time network monitoring, data analysis, and threat intelligence. Utilizing a range of proprietary algorithms, Quantum Armor is able to perform agentless port monitoring, configuration reviews, log parsing, and attack surface benchmarking with the click of a button. This allows investors to automatically generate a life snapshot of a prospect's attack surface, past breaches, and overall network health.
Talk with one of our representatives today to learn more about how we can fast track your due diligence process. For a limited time, Quantum Armor licenses come with a 30-day free trial so you can test-drive our platform 100% risk-free!
The Rise of the Virtual CISO
Top Four Cloud Security Tips for 2021
Securing Communication Channels in the Enterprise Environment