Tech regulations: How to relieve the burden of supervisory bodies and reduce the risk for investors

What is the problem, and who is affected?

Regulatory and industry requirements for cybersecurity are skyrocketing. These include DNB [1], DORA [2] Cyber Resilience Act [3] [4] and NIS2 [5], SWIFT Customer Security Programme (CSP) [6], FedRAMP, ISO 27001, CIS Critical Security Controls, FISMA [7], NIST SP 800-53 and PCI DSS [8]. Managing all these regulations is complex for companies and obviously for regulators, who need to supervise implementation correctly. The number of companies affected in the European Union alone already runs into the millions, as is shown in the figure below.

‍

‍

We have learned from GDPR that the necessary paperwork will be done. Still, the difficulty lies in technology and implementing sufficient processes, capabilities (people and their skills) and structures to adequately monitor and report on a firm's well-being.

According to Kuijper (2020), “the data privacy authorities (DPAs) mainly fine the visible symptoms of GDPR non-compliance (the materialised risks) rather than fining and describing the underlying root cause(s) of those non-compliance symptoms like, e.g., failing to analyse the data processing risks, a lack of governance or controls, etc.” Regulatory fines are the most significant cost when something goes wrong; they can sometimes be as high as 4% of the annual global revenue of the violating company [14].

In recent research, we have observed that most GDPR violations relate to implementing the technical and organisational measures required to ensure information security (art. 32). Implementing information security controls is cumbersome for many organisations due to scarce resources and capabilities.

Upcoming regulations are only sustainable by requiring mandatory proactive submission of so-called ‘in-control statements’. Given the number of regulated companies and the associated burden, we foresee as the only way forward an inverse burden of proof: companies must be able to prove that they comply.

‍

Additional complexity on the acquisition market

In mergers and acquisitions, buyers impose stricter conditions on entrepreneurs seeking to sell their companies, including requirements regarding data and privacy [14]. The heightened scrutiny of cybersecurity underscores the critical need for careful digital due diligence related to digital assets and comprehensive risk assessments. In mergers and acquisitions, even a single misstep can have profound consequences, leading to substantial financial losses and reputational damage.

Fortunately, more and more due diligence is also being performed for the technological departments of a company. This is unsurprising, as technology is an ever-larger factor in company processes and value drivers. Moreover, notorious examples such as the acquisitions of DigiNotar by Vasco, Verizon by Yahoo and Marriott International by Starwood Hotels and Resorts Worldwide have shown the far-reaching consequences of insufficient due diligence.

In the Yahoo incident, attackers successfully executed a spear-phishing attack, targeting a Yahoo employee. Through their credentials, the attackers got access to backed-up data. This example shows the importance of the principle of least privilege, as overprivileged user rights significantly simplify the task for cybercriminals to get into and, through “system hopping”, explore the entire network since there was no network segmentation. Breaches like the one experienced by Yahoo can have serious consequences. Combined with another breach experienced by Yahoo, this led to a 350-million-dollar reduction in the deal with Verizon [15].

Arguably, all business processes are, to a varying extent, dependent on technology and digital processes. Business and private life are seamlessly integrated, and so is data, including intellectual property or confidential data that is valued as goodwill in any acquisition process. This data can be anywhere, including on in-home devices or in smartphone storage such as iCloud.

In this context, meticulous digital due diligence is not merely a best practice but an absolute necessity. As businesses evolve in the digital age, the ability to assess and manage potential cybersecurity risks effectively has become fundamental to ensuring the success, integrity, and sustainability of mergers, acquisitions, and ongoing operations.

‍

Preventing financing a pig in a poke

In our digital world, there are various reasons for performing a due diligence assessment. At its core, due diligence is designed to unearth potential security risks, serving as the foundation for different essential considerations, such as the firm’s valuation and identifying value drivers. This includes intellectual property, software technology, automation capabilities, subscriptions, unique market propositions and potential threats to these value drivers.

Organisations can substantially enhance their operational efficiency in the long run by identifying security risks before an acquisition. This insight is valuable, as identifying critical security vulnerabilities can potentially stall or, in extreme cases, halt an acquisition entirely. And it can certainly influence the agreed acquisition sum. Consequently, being aware of these risks before the acquisition allows the buyer to request the seller to improve their security measures. Due diligence should assess and report on the entire technology stack at each layer, as represented in Figure 2, including the existence of an exhaustive set of forty checkpoints. Proper digital due diligence significantly contributes to the seamless integration of the acquired entity into the seller’s corporate environment, enhancing business continuity, avoiding technology debt hacks and minimising disruptions or the risk of buying a so-called ‘pig in a poke’.

So thorough due diligence on technology, processes and human capabilities is instrumental in building trust and maintaining a good reputation. An acquisition involves assets, operations and large quantities of customer and employee data. By identifying potential security risks and regulatory violations in advance, reputation damage can be prevented. This also includes the evaluation of vendor relationships, as these third-party connections can often be a weak link in the supply chain.

Since company value drivers (value-creating assets) are currently more shifted towards the software technology in use, assessing the “Secure Software by Design” principles or the use of good practices such as a Software Bill of Materials (SBOM) is needed. The software should be diligently checked to avoid buying technical debt or an inferior software technology stack. Furthermore, digital due diligence encompasses technological aspects and includes evaluating the company’s cyber security culture, processes and the awareness level among its employees. This proved to be true in the Marriott International case, in which attackers probably gained unauthorised access to the Starwood guest reservation database via a phishing email [16]. The breach took place in 2014, two years before Marriot acquired Starwood, but was not discovered until after the acquisition was completed.

Also, digital due diligence is pivotal in safeguarding intellectual property (IP). Particularly in acquisitions designed to acquire specific technologies, the value of these core assets is of great importance. A notable cautionary tale is the case of DigiNotar, where the company’s main assets, its certificates, were illicitly replicated, eventually leading the company to go bankrupt and the acquiring party, Vasco, being left empty-handed, having purchased a “pig in a poke.” Comprehensive digital due diligence efforts are crucial in establishing that the IP is legally and technically protected and still holds substantial value. Awareness and deep knowledge of the technological and security status of the company, the leading suppliers and the exact identification of the value-driving assets to be acquired can significantly improve the transition period.

‍

How to conduct Digital Due Diligence (DDD)

The selling and buying parties can contribute to smoothing and accelerating the acquisition process. The selling company could show their security status based on any framework (e.g. CIS8, ISO27001, ISO27701, etc) in the form of periodic statements that they are in control of their digital security, risk, privacy and audits via a structured method of control testing. And adequately following up on audit findings. This is good practice in general, not just before an acquisition.

The buying party can assess the in-control statements to conduct digital due diligence. The first step in this process is establishing the exact goal behind the acquisition. Does a company want to increase its market share, eliminate the competition or acquire a specific technology? The next step is determining which systems, software, data and other technological assets it needs to achieve its objectives. Then they can register all these highly valuable assets and their owners in an application, for example, in Anove.

‍

‍

After that, it is time to collectively assess the risks to which these assets are vulnerable. The final step is to evaluate the controls implemented in the organisation based on a framework such as the Payment Card Industry Data Security Standard (PCI DSS), ISO27001, the NIST Cybersecurity Framework (CSF), NIST 800-53 or other families. Financers can require this thorough assessment to examine the value and the potential technology debt of a company.

‍

Solutions for both regulators and financiers

For the abovementioned Digital Due Diligence, we can use the good practice of so-called “In-control statements”. These statements provide a quick overview that shows the status of the controls in a privacy and security management system. In highly regulated environments such as finance, in-control statements are already used. This is a way to verify and demonstrate to a supervisory authority that an organization has done their accounting truthfully and lawfully. In-control statements are useful tools because they save supervisory authorities time, resources and money. The statements can be checked automatically, similar to the procedure with tax reports. Periodically, an audit would be conducted to assess whether a company has indeed provided truthful information and is signed off by accountable persons.

It is not necessarily the case that every framework needs its own in-control statement. Frameworks often have a certain degree of overlap regarding the controls they propose. This overlap can be mapped to understand where the frameworks coincide. One ‘’parent’’ framework is suggested that can correspond with multiple ‘’child’’ frameworks and their controls. You only need to test for this control in the parent framework to comply with multiple other underlying controls, as shown in Figure 3. This mapping, which is done by communities such as SecureControlsFrameworks is already present in technology such as Anove and fed every time there is a change in the framework. This allows companies to send in just one in-control statement that applies to adherence to a multitude of frameworks.

‍

Good governance (Chefsache)

The combination of all upcoming regulations and companies struggling to implement proper security management makes it hard for regulators and companies to comply. To navigate this complexity, a potential way forward is to use an existing framework as a basis, for example, within the EU or specific industries. Drawing parallels with the United States when, after a major attack on the Colonial Pipeline, the use of NIST and Zero Trust strategies became mandatory for governments after a presidential Executive Order, a similar top-down approach is pushing digital security in this direction in Europe. This is comparable to what we faced after the MCI WorldCom and Enron scandals by globally adhering to Sarbanes Oxley (SOX) regulations.[17]

In essence, treating cybersecurity management in the same way as financial reporting standards ensures a structured and comprehensive approach, just as accounting reporting submissions (e.g. VAT submissions) provide monitoring that can detect deviations or malfunctions. It also encourages good stewardship among company owners.

Monitoring and reporting the technology state over the entire stack is crucial for any company, as well as its stakeholders such as investors, shareholders, supervisory bodies and buyers. Hence, digital security is a matter for decision at the highest executive level.

‍

Concluding proposition

In our view the only way forward for regulators and financiers is a combination of Digital Due Diligence, ‘test once, comply many’ and proactive ‘in-control statements’. The question remains: who will take the lead for a top-down approach to direct a foundational framework, or do we first need to have an incident like the ransomware attack on the Colonial Pipeline?

About the Authors

Yuri Bobbert PhD is a professor at Antwerp Management School (AMS) and CEO at Anove International (Anove.io). He is the former global head of IT Security, Risk and Compliance at NN Group NV where he led the digital due diligence and integration process for the NN Group acquisition of DeltaLloyd. The €2.5 billion deal created the largest life insurance company in the Netherlands and was authorised by the Central Bank (DNB).

Iris van Holsteijn MA is a Young Cybersecurity professional at Anove International, Iris holds a MA in Global Criminology and a BSc in International Development Studies.

‍

References

1. De Nederlandsche Bank, Good Practice Informatiebeveiliging 2019/2020, 2019.
2. E. Commission, " The Digital  Operational Resilience Act (DORA)," [Online]. Available: https://www.digital-operational-resilience-act.com.  [Accessed 2 1 2023].
3. E. Commission, " Strengthening  EU-wide cybersecurity and resilience – provisional agreement by the Council  and the European Parliament," [Online]. Available:  https://www.nis-2-directive.com.
4. E. Commission, "Cyber  Resilience Act," [Online]. Available:  https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.  [Accessed 2 1 2023].
5. E. Commission, "Directive on  Security of Network and Information Systems (NIS 2 Directive),"  [Online]. Available: https://www.nis-2-directive.com. [Accessed 1 2 2023].
6. SWIFT, "Customer Security  Programme," [Online]. Available:  https://www.swift.com/myswift/customer-security-programme-csp. [Accessed 2  Jan 2023].
7. US Congress, "FISMA, U.S.  Congress, Federal Information Security Management Act of 2002," March  2002. [Online]. Available:  https://www.congress.gov/bill/107th-congress/house-bill/3844.
8. PCI Security Standards Council,  "Payment Card Industry Security Standards Council," [Online].  Available:  https://www.pcisecuritystandards.org/document_library/?document=pci_dss.  [Accessed 2 1 2023].
9. BBP Media, NIS2 is Coming - And the  Retail Industry is Not Prepared.
10. CBS, "Bedrijven; bedrijfsgrootte en  rechtsvorm.," https://opendata.cbs.nl/#/CBS/nl/dataset/81588NED/table, 2023.
11. Eurostat, "Sectoral  overview.,"  https://ec.europa.eu/eurostat/cache/htmlpub/key_figures_on_european_business_2021/sectoral_overview.html, 2021.
12. M. Kors, "Wat betekent NIS2 voor  Nederlandse organisaties?," https://www.computable.nl/artikel/blogs/security/7444125/5260624/wat-betekent-nis2-voor-nederlandse-organisaties.html.
13. PricewaterhouseCoopers. ,  "DORA: Why is it relevant to you.," https://www.pwc.com/gr/en/advisory/technology/dora-why-it-is-relevant-to-you.html.
14. F. Conijn and R. Smit, "Koper grijpt  de macht bij bedrijfsovernames.," Het Financieele Dagblad https://fd.nl/bedrijfsleven/1493159/koper-grijpt-de-macht-bij-bedrijfsovernames, 2023, 16 oktober.
15. A. Athavaley and D. Shepardson,  "Verizon, Yahoo agree to lowered $4.48 billion deal following cyber-attacks.," Reuters, www.reuters.com/article/us-yahoo-m-a-verizon-idUSKBN1601EK, 2017.
16. J. Fruhlinger, "Marriott data breach FAQ: How did it happen and what was the impact?", CSO, 2020, February 12
17. The Sarbanes-Oxley Act (SOX) is a federal act that was passed in 2002 with bipartisan congressional support to improve auditing and public disclosure in response to several accounting scandals in the early 2000s.