Data Security Review during Due Diligence?

investor profile

September 28, 2018

by an investor from Harvard University - Harvard Business School in San Francisco, CA, USA

Has anyone ever done a data security review during due diligence? I've had a few searchers ask me about this topic recently, and I don't have great perspective, but obviously an increasingly important issue for target companies. 

Would appreciate any/all guidance on this, including where to turn if you decide it's something you want to do during diligence.

12
7
178
Replies
7
commentor profile
Reply by a professional
from The Queen's University Belfast in San Francisco, CA, USA
Hi Greg,

Specifically, data security refers to the procedures around protection of data from unauthorized access and corruption throughout its lifecycle. This includes data encryption, hashing, tokenization, key management and backup practices that protect data across all applications and platforms.

As you can imagine that covers a lot of ground in a modern business, irregardless of size, that leverage Cloud platforms to host their service and third party SaaS applications to run their business.

I have found a security risk assessment is good place to start as part of an overall technology due diligence, which takes into account a businesses regulatory obligation, industry standards, information security policies and procedures, previous breaches, engineering and devops procedures, vulnerability management to name a few!

Happy to discuss more. Jonathan.
commentor profile
Reply by a professional
from University of San Francisco in San Francisco, CA, USA
Greg, adding to the above, it's a vital question to ask early in any acquisition due diligence, and the extent to which it is explored will depend on the extent to which the company handles data, but other than a very early stage acquisition, most companies handle data in varying degrees, and subject to varying levels of regulation. It is also important to keep in mind a distinction between data breaches that are ongoing and have not yet been discovered by the company at the time the acquisition, and known data breaches, both of which can have a material impact on price. There's a lot of literature in the area, perhaps what would be helpful on a practical level is to share a comprehensive cybersecurity due diligence checklist - please contact me if you would like a copy or to discuss any of this further. Ed
commentor profile
+5 more replies.
Join the discussion