The Deal You Didn’t Know You Made: Cyber Risk in M&A

The Rook Ep. 002: Your Compliance Program Is Not a Security Program

Send us Fan Mail [https://www.buzzsprout.com/2611183/fan_mail/new] A clean audit doesn't tell you whether your company is secure. It tells you something much narrower, and the gap between what the audit answers and what executives read into it is where most companies are quietly carrying real risk. In this episode, David Shaw walks through what compliance audits actually evaluate, the three places where compliance and real security pull apart inside companies (access management, detection, out-of-scope creep), what someone running a real security practice will tell the board, and the two questions every board should be putting on the agenda at the meeting after the next audit closes. In this episode: * What an audit actually answers, and what it doesn't * Why the gap between the report and reality isn't a failure of the audit * The three places compliance and real security pull apart: access, detection, scope * What a real security practice looks like, versus a compliance program * What someone running a real program will tell the board * The two questions to put on the agenda after the next audit closes Resources mentioned: * SOC 2, ISO 27001, PCI, NIST, HIPAA frameworks Connect with David Shaw: * Website: corvus-cyber.com * LinkedIn: linkedin.com/in/djshaw * Email: david@corvus-cyber.com [david@corvus-cyber.com] The Rook · Corvus Cybersecurity · corvus-cyber.com · David Shaw, CISSP, GLEG

The Deal You Didn’t Know You Made: Cyber Risk in M&A

Send us Fan Mail [https://www.buzzsprout.com/2611183/fan_mail/new] In this episode of The Rook, David Shaw, founder of Corvus Cybersecurity and principal vCISO, examines the most consistently overlooked risk in M&A transactions: inherited cyber exposure. From Yahoo's misrepresentation of its breach history during the Verizon acquisition to the Marriott-Starwood breach that went undetected for four years, the pattern is the same. Cybersecurity due diligence gets a questionnaire, while financial and legal diligence get exhaustive scrutiny. The result is that acquirers close deals and inherit compromised environments, undisclosed incidents, and compliance gaps that carry real remediation costs. In this episode: * How Yahoo's misrepresentations to Verizon held through signing, and what saved Verizon wasn't diligence * How Marriott bought a four-year-old, undetected breach when it acquired Starwood * Why the standard M&A cybersecurity questionnaire fails to catch material risk * How R&W insurance carve-outs and cyber insurance pre-existing condition exclusions are changing the stakes for deal teams * The four-stage cyber due diligence process used on the buy side, and the three-bucket model for translating findings into deal team decisions * What sellers should be doing now to protect deal value * Three artifacts every buyer should require, not just three questions to ask The Rook · Corvus Cybersecurity · corvus-cyber.com · David Shaw, CISSP, GLEG