Mergers and acquisitions can be successful growth strategies for many companies. They bring together customers, IP, and assets — but they also bring together liabilities and risk as well. Among these are cybersecurity risks. “Cyber diligence” — cybersecurity evaluations performed as part of the M&A decision-making processes — has grown in importance in recent years. What are a company’s vulnerabilities? What cybersecurity issues or incidents have they had in the past, and how have they dealt with them? What defenses do they have in place to protect themselves? Are all important questions to ask in an M&A deal. But even if you’re not involved with a merger or acquisition, the same analysis can yield important and surprising results.
Today there’s greater reliance on networked infrastructure and systems than ever before, making an evaluation of an M&A target’s IT environment a critical component of overall due diligence, from previous breaches and how the target responded to past incidents to the company’s compliance roadmap. You’ll need to know whether the target company has a cybersecurity vendor and examine recent cybersecurity audits to determine whether the target’s existing security posture meets your company’s standards.
Relevant regulations should be considered, including HIPAA, PCI DSS, and GDPR, as well as applicable state regulations such as Colorado’s Consumer Data Privacy Bill (PCPD) and the California Consumer Privacy Act (CCPA). Compliance audits may be conducted to ensure that the acquisition doesn’t introduce regulatory risks, or vulnerability assessments can be performed to detect and remediate vulnerabilities across the full infrastructure.
Given that there’s so much to consider in the cybersecurity realm alone, it’s easy to see how some important factors get overlooked. To find out more about the most commonly overlooked items that you should be paying closer attention to when considering an acquisition, we reached out to a panel of cybersecurity experts and asked them to answer this question:
“What are the concerns that acquiring companies should pay closer attention to when assessing information and cybersecurity risks while performing cyber diligence?”
Meet Our Panel of Cybersecurity Experts:
|Ian McClarty||John Gerdes||Byron Rashed|
|Ray Rothrock||Christian Nyakanyanga||Will Ellis|
|Christopher Gerg||Bryce McDonald||David Geer|
|Swinburne Charles||Joshua Foltz||Alec Papierniak|
|Dr. M. Thad Phillips|
Read on to learn more about what you should be looking for when performing cyber diligence in order to assess risk.
Disclaimer: The views and opinions expressed in this post are those of the authors and do not necessarily reflect the policies or positions of Threat Stack, Inc.
Ian McClarty has over 20 years of executive management experience in the cybersecurity and data center industry. Currently, he is the CEO and President of PhoenixNAP Global IT Services. PhoenixNAP employs a staff of over 600, operating in 9 locations worldwide.
“Acquiring companies need to pay close attention to the basics when conducting their cyber diligence...”
Many companies hand over their compliance paperwork as proof of their sound security practices, but you should always take a closer look. There may be some controls in place that pass compliance, but may not do so at the risk level you are comfortable with.
Ensure that you thoroughly examine their asset inventory, termination processes, disaster control plans, etc., assessing accuracy and effectiveness. Inquire how many security-related incidents occurred over the past 1–2 years and then audit those occurrences. Assess whether any of these incidents point to a larger issue of lax security controls or a large breach.
We have seen over the past few years how costly unreported or unknown breaches can be when a company has been or is being acquired. Purchasing companies should always ensure that their cyber diligence is just as thorough as all other areas of the acquisition.
Ray joined RedSeal as CEO in February 2014. Previously, he was a general partner at Venrock, where he invested in 53 companies including over a dozen in cybersecurity. Ray is also a member of the Massachusetts Institute of Technology Corporation board.
“The merger and acquisition process typically starts out as a…”
Discussion between companies on possible synergies and can rapidly turn into elaborate due diligence, where the acquirer crawls through the finances, business practices, assets, and liabilities of the acquisition target. Unfortunately, cybersecurity and IT practices are typically the last items on the due diligence list, and oftentimes the review will be cursory. [For an opposing view, take a look at this article. — Tim Buntel] Most merger agreements will be finalized using nothing more than a self-assessment questionnaire or simple verbal interview to deal with questions about the security of the network being acquired.
However, incidents like the Yahoo! breaches, which were announced while its acquisition by Verizon was in its final public phase, clearly show that this has to change. Acquirers need ways to understand the security posture of acquisition targets early in the process so they can tell what they are getting into. Many acquirers will look at the target company’s most recent cybersecurity audit. That’s a good place to start, but not good enough to sign off on what can be a multi-billion dollar acquisition. Firewall? Check! Malware scan? Check! Network segmentation? Check! Is it working? This is a question an audit cannot answer.
Acquirers need an understandable but thorough analysis of the security readiness and resilience of a company they plan to acquire. This requires thorough automation, combining internal information about the network’s completeness, hardness, and quality of maintenance. It’s not rocket science. When you merge with another company, you are merging with its network, with all its strengths and weaknesses. We don’t know whether Verizon has done a full review of Yahoo!’s network and cybersecurity posture. If they did, they should have known that the billion-plus user records were vulnerable. If they did not, they will certainly do one next time.
Christopher Gerg is the CISO & Vice President of Cyber Risk Management at Gillware. He is a technical lead with over 15 years of information security experience, dealing with the challenges of information security in cloud-based hosting, DevOps, managed security services, ecommerce, healthcare, financial, and payment card industries.
“Many technology companies have grown through acquisition…”
Either buying up a competitor or expanding their portfolio by buying an already-successful product. The organization does not want to get in the way of what they are (and have been) doing and as a result, does not integrate the new organization fully into the information technology framework that already existed in the parent company. This is a short-term decision that has long-term effects. You end up with “islands of technology,” each with its own policies, standards, procedures, technology stacks, systems, and services. In the mid-term, it leads to cost (and coordination) inefficiencies and in the long-term, leads to information security issues as systems go without central management and administration and bad practices get worse. In addition, it makes integration of the newly acquired product much more difficult as the teams have trouble coordinating, and each runs in its own environment.
In the long-term, rectifying this ends up costing more than unifying policies, standards, procedures, and technologies in the first place. This is often overlooked when growing through a merger or acquisition — either expanding a single organization or purchasing an organization that has grown itself this way.
Swinburne Charles is the Director Architecture and Design at Checksum. He is an experienced board level manager with outstanding operational, IT, and customer relation skills. He is a specialist in bridging the gap between business and the latest technology by providing innovative opportunities to foster improvements in efficiency, productivity, and profitability.
“Any organization worth undertaking the M&A process must be viable, and…”
As a result is heavily dependent on computing and data to perform daily transaction and management activities. In today’s world, we understand that technology has provided companies with tremendous operational and economic benefits, including reduced costs and increased productivity.
It goes without saying that cyber risks be incorporated into the due diligence process; however, due to the ever-evolving nature of cyber threats, there are increased tendencies to not consider all IT risks which may not have been applicable the week prior to signing an MOU against the M&A process.
Here are a few items which should be considered during the cyber due diligence stages:
- Identification of the company’s important digital assets (data in particular). This involves determining how important those assets are to the company and also what the impact would be from a business, regulatory, or compliance standpoint should those assets ever fall into the wrong hands.
- Evaluation of the company’s internal cybersecurity program to ensure that it is appropriate for the company and aligns with what is truly required from an industry, regulatory, or compliance standpoint. If there is misalignment with legal regulations, assess the risk associated with the current failure to comply.
- Identify whether the company has been a victim of prior breach incidents, and if yes, what their incident response methodologies were.
- Evaluate the company’s overall resilience and general ability to weather a cyber attack on its digital assets.
Considering the transactional difficulties that cyber breaches can create, as highlighted in many cases globally, a holistic approach to the cybersecurity due diligence early in the proposed M&A exercise should be deemed essential to protecting the acquirer’s interests.
John Gerdes is the Chief Operating Officer of Secure Merger. He leads Secure Merger’s cyber risk assessments and compliance audits, breaking down organizations’ cyber risk and empowering them to make informed decisions in resource allocation and strategic planning.
“Security folks know the weakest link in any organization is the people…”
No matter how many security tools the organization uses, well-meaning people are the ones who click on phishing links, share logins at the office, write passwords on sticky notes, and leave laptops in their cars. That’s why most successful cyber attacks, no matter how sophisticated, start by attacking the “chair–keyboard interface.”
So it’s surprising how often acquiring companies content themselves with cyber due diligence that doesn’t go onsite and talk to people. Much more so than most other areas of due diligence, cyber can give you different answers not only when you compare policy to reality, but when you compare the executives’ answers with those of the frontline employees.
Christian Nyakanyanga is a cybersecurity expert dedicated to protecting organizations against cyber risks.
“The most commonly overlooked item is the alignment between the cybersecurity team, their goals, and the organization’s goals…”
Is there a representation of the cybersecurity function at board level? The best indicator of how an organization views cybersecurity is how well the cybersecurity team is represented at an executive level. Pay closer attention to who is or is not sitting at the table.
Bryce McDonald is an information security and cloud automation professional with over 15 years of experience. He is also the founder and CEO of a startup, NorthCode Solutions, which designs, deploys, and manages cloud infrastructure for small businesses.
“The most commonly overlooked item acquiring companies should pay closer attention to in assessing information and cybersecurity risks while performing cyber diligence is…”
The attack surface of the acquired company. To put it simply, the attack surface is the sum of all the different ways that an organization can have a malicious actor enter or extract information. Larger companies tend to have larger attack surfaces just by the nature of the company’s scope, but it doesn’t follow that smaller companies necessarily have smaller attack surfaces. If proper mitigative controls are not put in place, smaller companies can have disproportionately large attack surfaces. Sometimes this is due to a lack of information security resources within smaller companies. Other times it is due to a lack of information security knowledge, even among hired staff. I believe this is in large part because of the disconnect between regulatory compliance and real security. Although many regulations do mention the attack surface of an organization, few regulations have any attack surface reduction requirements. Even when a regulation does mention the attack surface of an organization, whether it’s larger or smaller than it needs to be is typically more subjective than you might think. Each organization’s attack surface is bespoke. While hired information security staff are often laser focused on meeting compliance goals for every regulation a company is put under, many lose sight of the bigger picture in actually keeping the company safe. How do I prefer to do this? By making the target a hacker has to hit as absolutely small as possible.
As Technical Executive and CISO at Axcient, Joshua Foltz is responsible for the strategic direction of the company’s IT, Information Security, Governance, Compliance, and Operational functions. He works with Sales, Sales Engineering, Customer Support, Product Management, DevOps, Cloud Engineering, and Development to accomplish overall business goals and objectives.
“Acquiring companies need to understand that they are inheriting the security risk during the acquisition…”
This is often overlooked in smaller acquisitions and can have a major impact on the success of the integration. Imagine a company that has a strong security culture inheriting a company with an apathetic security culture. That culture collision is going to result in cybersecurity incidents and conflicts for months or years to come — the inherited company will introduce risk to the company with a mature security culture. These important differences will require time, effort, and money to resolve. As a worst case scenario, this could result in a breach. If, however, these issues are found and the risk is assessed early in the acquisition during the diligence phase, then a project to combine these two cultures can be planned at inception.
It has been my experience that when acquiring companies with a weak security culture, this fact can be used at the negotiation table as it has an effect on the value of the company and the cost to resolve. To overcome these risks, I recommend the following pre-merger/acquisition audits:
- Network Layer Penetration test on any infrastructure that is part of the merger or acquisition
- Application Layer Penetration test on any custom application to understand the Security risk being accepted during acquisition
- IT Risk Assessment — this is a review of the governance and Security best practices of the organization
- Audit of any regulation the acquired company is presenting as value… to ensure compliance
The acquiring company should assign a dollar amount to resolving any gaps found during these audits during the diligence phase and use that as part of the negotiation and decision-making processes.
Byron Rashed is the VP of Marketing at Centripetal. He has over 20 years of industry experience spearheading global marketing and public relations programs in various B2B organizations that target IT security solutions to the enterprise and OEM markets, driving growth and advancing strategic goals.
“There are two items in my opinion. First, cybersecurity training for all employees…”
This is becoming a necessity since most breaches are caused by human error. The second item is assessing partner/supply chain access to the network. There have been high profile breaches where the threat actor entered a network via access from a vendor/partner/supply chain. Ensuring that the partner network is secure is just as important as ensuring that the company’s network is secure. Although difficult, all agreements should consider best cybersecurity practices in order to best protect the organization when dealing with other outside networks.
Will is the founder of Privacy Australia. He’s been a network security engineer for the duration of his 8+ year career, starting with IBM cloud and later founding PC with colleagues.
“The most commonly overlooked areas acquiring companies should pay closer attention by far are the basics…”
Yes, every company should do a deep dive into the security practices of the company it is acquiring. With that deep dive, the basics get left behind. If the following isn’t present, then you know the company you are acquiring has not been taking security seriously:
- Company firewall
- Documented cybersecurity policies for employees
- Mobile device security plan
- Employee training and awareness on basic issues such as how to avoid a phishing scam
- Safe password practices
- Data backups
- Malware scans
- Multifactor identification
- VPN use
These are the basics. While security experts are diving into cloud infrastructure and database infrastructure, common employee practices are being ignored.
David Geer is a 20 year veteran B2B content writer for the cybersecurity industry.
“Most companies experience breaches…”
Look at how fast and how well they respond. Do they stop the bleeding quickly? Do they minimize the damage? Do they fix the problem, so they don’t see further breaches via the same vulnerabilities? Do they maintain customer confidence in the wake of a breach? Do they use their security savvy as a selling point with partners and customers? Consider a company’s resiliency in the face of today’s cyber realities.
Alec Papierniak is a Minneapolis-based software consultant, specializing in security-focused development. He has over a decade of experience helping clients build, scale, and secure applications and processes. He is a founder of Nordic Dev, a software development consultancy, and Spear Forward, a spear phishing awareness training provider.
“One of the most important, and often overlooked factors that acquiring companyies should pay more attention to is human exposure…”
In 2018, we saw a dramatic rise in the number of successful phishing attacks carried out against employees — both of target companies, and vendors supplying target companies. The recent breach involving Quest Diagnostics vendor American Medical Collection Agency, as well as the massive Citrix breach earlier this year, highlight the importance of training and raising employee awareness around phishing attacks.
Oftentimes, organizations spend significant resources implementing well-thought-out pipelines to document and analyze software and endpoint dependencies, but overlook the human element. Password strength and rotation requirements often don’t align with what contributes to a better password — requiring upper and lower case, a number, and a symbol, don’t significantly improve password strength if the length requirement is only 8 characters. Forcing employees to change these passwords every three months doesn’t help either — oftentimes, employees will simply add a number at the end, and increment this number for each required change. So [email protected], when required to change, becomes [email protected], then [email protected], etc.
Phishing attacks are on the rise, and have contributed to several high-profile breaches over the last year. Training employees on how to recognize and report suspected phishing is a great way to raise awareness and lesson risk. The industry as a whole is seeing more and more spear phishing attacks, which require a different level of training and recognition than what most phishing attacks require.
Dr. M. Thad Phillips
Dr. Phillips is a seasoned healthcare IT information security professional, as well as an operational technical infrastructure service director. He is a graduate of UAB’s MSHA, MSHI, and MBA programs. He currently serves as an adjunct professor at the Tulane University School of Professional Advancement.
“In our ever-expanding business world of consolidating growth through mergers and acquisitions…”
Companies tend to focus on components of the business in traditional terms, be it price to earnings ratios or the “what have you done for me lately” model. In the world of cyber though, where businesses are dependent on technology in order for supply chain, workflows, and output in terms of production to keep the ship sailing and moving forward at a faster pace on a daily basis, one needs to keep a very close eye on cybersecurity.
This cybersecurity space can be wide and deep depending on the business and ultimately the reliance on technology as a major vector in company performance. More often than not, cybersecurity is overlooked and major assumptions are made that everything is “OK.” However, when assessing another business for acquisition, the days of old are over with this line of thought, and a “trust but verify” approach needs to be implemented to ensure that everyone is on the same page in terms of security controls and vulnerabilities.
When assessing a business on a partnership, merger, acquisition, or just bare bones services at a basic level, if data is to be accessed, transmitted, and stored in any way, there must be a high level of scrutiny and vigilance. Depending on the sector, be it healthcare, banking, finance, retail, or the like, there are many different regulatory “gotchas” that organizations must be aware of and adhere to very strictly due to audits, associated penalties, potential lawsuits, and company reputation.
As businesses acquire others, they are inherently growing their portfolio of information technology reliance, and the associated risk that comes hand in hand with that it is unavoidable. Thus, the due diligence needed to assess and evaluate cybersecurity is greater than ever. As such, some key items to look for as a business is going through the process of requesting pertinent information are as follows:
- Request at a minimum what cybersecurity framework a business is using to protect their sensitive data (i.e., demographic data of a personal nature to credit card transactions). Examples of frameworks may include NIST, HI-Trust, and a cadre of others.
- Request the basics in terms of encryption — to mean any sensitive data needs to be encrypted in transit and at rest for protection purposes.
- Request a SOC (System and Organization Controls) report performed by a third party on the business to understand where they are in terms of cybersecurity and where they are going, or need to go, before you do business with them. These reports vary in complexity as a SOC 1 report covers financials, a SOC 2 is a very detailed security evaluation, and/or SOC 3 is a summarized security report — always demand the SOC 2 or have a separate third party come in and do the assessment with or without it.
- Contractually add verbiage that your business has the right to perform audits on a semi annual or annual basis at a minimum.
- Finally, look for user access controls for provisioning during onboarding and offboarding of workforce members with elevated system privileges or any level of access for that matter. This life cycle approach is no different with technology than with people as legacy systems may be purchased and dealt with from a migration and/or decommissioning process.
The bottom line when acquiring a business is to know the nuts of bolts of what you are getting into on the technology front and all the security that may or may not be wrapped around it.