"Companies performing due diligence should consider performing an in-depth onsite analysis that doesn't just identify previous incidents, but understands how the organization identifies and responds to incidents, assesses systems for unidentified breaches, and evaluates the organization's capabilities to mitigate cybersecurity risks," he said.
Ask before you buy
Experts say there are a number of common questions that should be asked upon buying another company.
- How likely is the company to have an existing, ongoing breach
- Has it suffered a compromise, whether or not it resulted in the loss of data? If so, what was the impact?
- Would the company be able to identify a security incident if it were to happen?
- What might it cost the company if it was breached?
- Who is responsible for security?
- Does the company interact with sensitive data protected by regulatory or industry compliance obligations?
- Does the company utilize any third-party vendors that store, access or process sensitive employee, company or customer information?
- Does the company send PII to entities outside of its home country and/or does it receive PII from entities outside of their home countries?
- Does the company outsource any critical functions?
Sign up for CIO Asia eNewsletters.