5 Things to Consider When Evaluating Cybersecurity in M&A Vendors

With increased cyber threats, cybersecurity due diligence in M&A transactions is a must for companies, protecting them from reputational and financial risks. 

Cybersecurity due diligence can be simplified by using a dedicated M&A platform. This will help you manage your deal pipeline, disinvestments, post-merger integration process, consulting, legal operation etc. Vendors that adopt such deal-management solutions are often able to close deals twice as fast. [Text Wrapping Break][Text Wrapping Break]However, using a third-party platform to manage your M&A process can bring new security risks. As such, a separate and thorough evaluative process must be carried out to ensure full compliance and safety of systems and processes.  

In this article, we share the recommended top-level steps in evaluating M&A platform vendors’ information security and lay out how Midaxo stacks up against these criteria. 

1. Formal audits and certifications 

Start your M&A vendor evaluation by requesting important certifications. Ensure they have either ISO 27001 or SOC certificates to prove their security compliance. Both of these certifications share almost 96% of the same security control; however, ISO 27001 is globally recognized and more rigorous than SOC, which is most prevalent in North America. 

Businesses should pay attention to who has conducted the audit and issued the certifications. Only work with reputable auditors. Note that the hosting provider’s certifications (e.g., AWS or Azure) and credentials don’t prove the authenticity of the vendor’s own security.

Driving a Volvo does not guarantee that you have a driver’s license, that you know the rules of the road or that you can even drive. It’s the authority, aka recognised auditors, who decide whether you are security compliant and not hosting providers. 

Finally, be cautious of vendors who say they are ‘working on’ securing certifications. They may well be, but that doesn’t guarantee they will obtain them. Only employ vendors with certifications already in place. 

2. Technical audits  

Technical audits should be your top consideration during M&A platform cybersecurity evaluation. Review the vendor’s actual and in-depth Open Web Application Security Project (OWASP) penetration test – or similar – and audit results. OWASP works on web application security; every year, it states which top web application development standards need to be followed for optimum protection.

Organizations that fail the OWASP Top 10 list are considered to fall short of important compliance standards. When evaluating technical controls, look at how data is processed.

Penetration testing is a form of ethical hacking, where “white hat pentesters” use strategies to exploit computer systems. When done by recognized auditors, this process highlights crucial security details and alerts your businesses as to how hackers could reach your sensitive information.

Separately, you should be aware that “printouts” from some online analysis tools  (e.g., Qualys) are, at best, indicative of a vendor’s level of information security. They often only provide a superficial – and sometimes misleading – picture. Do not rely on only these online tools for assessing the security risk.

3. Security audit (including publicly available material)

If possible, during M&A vendor cybersecurity assessment, make sure to do your own audits. Check the vendor’s claims and see how many are actually true. Even if you don’t conduct a full security review, ask to speak to the vendor’s chief information security officer (CISO) to ascertain the level of competence.

Review the vendor’s publicly available security information to support your security audit, e.g., Cloud Security Alliance (CSA) Star database and Privacy Shield. Look for security gaps that might create future issues in your business. Also, ask if the vendor has military contractors, financial services institutions, or security software vendors as referenceable customers, as they typically perform in-depth security reviews. 

4. Software development practices

Software due diligence includes evaluating businesses’ two crucial intangible assets, “software” and “software development.” This due diligence verifies whether the software’s architecture can meet today’s requirements (e.g., cloud-ready) and is frequently updated to bear any unplanned fluctuations. It also ensures the documentation is up-to-date with fewer or no software bugs to affect future business operations.

In addition, review the vendor’s coding practices:

• Check that vendor has documented SDLC process that takes security into account 
• Vendor follows OWASP Secure Coding Practices 
• Vulnerability scanners and SAST tooling is used in the development 
• Vendor performs both manual and automated testing in their software development

5. Engineering team 

The last step is to do a complete profile search of the vendor’s developers on Linkedin and see where their developers are located and where the software is being developed. Is there an internal team of software development or have they outsourced the development process? Go through their profile and see the depth of capability and expertise, resiliency, and availability of support.  

How does Midaxo’s M&A Software stand up against these evaluation criteria?  

Midaxo M&A deal management software is an all-in-one platform with high-level dashboards and a deal pipeline that brings together features of CRM, VDR, reporting tool, spreadsheet, and task tracker together. Our M&A platform addresses these security considerations in the following ways- 

• Midaxo has had its ISO 27001 Information Security Management System (ISMS) audited annually since 2016. Our auditor is KPMG, which is one of the big four accounting organizations 
• Midaxo’s technical auditors are (Cobalt and Nixu), who are highly reputable sites for conducting top-level penetration tests.  
• Midaxo has been audited almost 300 times by customers and prospects without ever failing once. The company has several large military contractors, financial services institutions, and security software vendors as customers and participates in both the Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Registry and in the Privacy Shield Framework 
• Midaxo follows secure software development practices and considers security in each phase of systems development life cycle. Our engineering team is trained for OWASP Secure Coding Practices, and the code is reviewed and tested before it’s released. Vulnerability scanning and Static application security testing are integral parts of  continuous integration/continuous development and security checks cannot be bypassed. 
•  Midaxo has an internal team of 22 developers in Finland and the UK to develop and support the Midaxo platform. It conducts FBI-level background checks for all developers with access to the production environment. 

Final thoughts  

Cybersecurity is a crucial element that you simply must not ignore during M&A transactions. You need to conduct extensive security and compliance audits to ensure that there are no issues before closing the deals.  

When auditing and selecting the M&A vendor platform you will use to manage your deal pipeline, evaluation, and post-merger integration process, conducting due diligence is equally important. It’s the only way to be absolutely sure the vendor’s information security is up to par. 

Midaxo is a comprehensive deal management platform that qualifies every criterion necessary for complete cybersecurity due diligence of your vendors.