Mergers and acquisitions can be the scourge of investors. Conventional wisdom shows that many large deals are often value destructive, fraught with risk, and take years for companies to recover from. But an extra factor, too often overlooked by both buyer and seller, is cyber risk.
A company can pay too much for a rival, and the synergies paraded in its pre-deal charm offensive may not materialize. But these challenges will be put in the shade by the reputational damage, deal value discounting, and operational disruption the company will suffer if a cyberbreach is discovered during or after an acquisition.
You only have to reflect on recent prominent hacks to grasp the magnitude of the consequences of neglecting thorough cybersecurity due diligence. Verizon cut its purchase price for Yahoo by $350 million in 2017 after the web portal disclosed widespread cyberattacks under its watch, and Marriott disclosed a major breach in 2018 from the properties it acquired with the purchase of Starwood.
Despite these high-profile cases, many acquirers only pay lip service to ensuring their targets are shielded from hackers. Few conduct a thorough review of a target’s security posture, and many neglect their target’s risk profile altogether.
“If a target company doesn’t understand its own risk profile well enough to explain it to the acquiring company, it’s a red flag,” says Jamie Lewis, a venture partner at Rain Capital, a venture capital fund that specializes in cybersecurity, artificial intelligence, and analytics markets.
From the moment a company pivots into an acquisition strategy, two crucial considerations often get overlooked by the C-suite. First, in the years leading up to an approach for a company, the potential acquirer needs to have conducted a thorough appraisal of the target’s cybersecurity profile, according to a 2018 report by KPMG examining cyber risks in M&A transactions. This assessment should reveal how well the target understands its own risk profile, a track record of incident responses, and the steps the target has taken to improve its defenses.
The second important indicator that is often ignored by acquirers is the security posture of the takeover candidate. A healthy and effective stance is one where the target assumes an attack is imminent and is prepared with effective network monitoring tools and solid defenses of its most prized assets.
If a target company doesn’t understand its own risk profile well enough to explain it to the acquiring company, it’s a red flag.
“Cybersecurity issues are a priority for corporate America,” particularly during a transaction, and can result in the end of a deal or a big price cut for the seller, KPMG says in its report.
So, alongside a company’s profit and loss account, balance sheets, and inventory, as well as its governance and accounting procedures, it’s equally important for an acquirer to be checking the target’s patching, endpoint visibility, and network security monitoring infrastructure. If they aren’t up to snuff, a hack or a breach could be a matter of when not if.
Acquirers too often fail to sit down with a target company’s management and ask them how seriously they take security and what they see as the cyber risk to their business. Taking the time to vet cyber weaknesses before an acquisition not only makes sense for the security of the combined businesses but is also a prudent, defensible strategy that will help to protect the integrity of the acquirer’s takeover approach.
Here are five key security issues that potential acquirers should consider when they go hunting.
A thorough security assessment of a target company will identify likely attackers, including their capabilities, goals, and methods, and the ways a cyberattack can affect the firm’s operations. As well as examining physical and environmental security, business resilience, and operations management, acquiring companies should also monitor the cybersecurity threat landscape the target operates in, says Ron Bradley, a vice president at Shared Assessments, a global membership organization that develops best practices, educational materials, and tools to drive third-party risk assurance.
Once negotiations are active and the target has opened its books to the acquirer, preliminary security assessments can be followed with more detailed checks and requests for information. It’s here that good endpoint cyber hygiene checks can be brought to the fore: Simple endpoint strategies can be used to assess application security, network vulnerabilities, patching cadence, weaknesses in access management, and data protection, as well as the critical incident responses the target company has installed.
A key issue to examine, says Bradley, is how tightly a target company runs identity and access-management privileges and whether it grants them on a permanent or unmonitored basis.
The security posture of the target is something to always be mindful of: “If the target’s assessments are largely focused on technology and products, or if the security and executive teams aren’t thinking in terms of threat profiles, that could be a red flag,” says Lewis.
If a target company doesn’t know where the crown jewels of its enterprise are located, then that is a disaster waiting to happen. Unfortunately for the acquirer, this problem sometimes becomes apparent only during breach investigations when the organization is unable to clarify what its prized assets are and where they are stored. Before an acquiring company follows through on its purchase, it must be confident that the target has an established risk-management program and a set of cybersecurity controls and standards in place that monitor and safeguard its most precious assets, Bradley says.
The acquirer also needs to be able to verify that the target has inventory tools that enforce data asset integrity. The owners of data on the network must be identified, and it’s critical that the data are updated and verified on a scheduled basis. Bradley says companies with solid cyber postures will run periodic reviews of their asset-management programs and the overall effectiveness of their cyber controls. Acquirers should ask to see evidence of those reviews and remediation strategies during the acquisition process.
Companies with solid cyber postures will run periodic reviews of cyber controls; acquirers should ask to see evidence of that.
Another challenge is that acquirers may view the importance of assets differently from the target company’s view, and consequently the acquirer’s expectation of how to safeguard those assets may be very different from the defenses the target has in place. For example, a system administrator’s computer on a legacy platform may not be on a target’s crown jewels list, yet a successful attack on that device could release a trove of sensitive information.
A security conscious target company should also be able to provide acquirers with a security assessment that identifies potential vectors that attackers could pursue to reach key assets, says Lewis. “If the target company has done that work, it’s an excellent sign. If they don’t understand why such work is even important, then it’s at least a yellow flag.”
Supply chain and third parties
From a security standpoint, acquiring companies should view targets less as single entities and more as an amalgamationof assets, endpoints, vendors, partners, and customers, says Bradley. With this in mind, acquirers should seek access to a list of the third parties on the target company’s enterprise network, along with an assessment of the risks they present. The acquirer must also review weaknesses identified by the target company specific to vendors and third parties and ensure that timely remediation of these weaknesses has been performed and validated.
If this third-party information isn’t available, the acquirer should seek to conduct its own supply chain assessment to understand the types of companies that regularly interface on the target’s networks, what admin rights they have, and the network configurations that are in place. In this era of ransomware and supply chain attacks, this information can be instrumental in preventing a breach.
Working the perimeter
As the workforce has migrated to work-from-home and hybrid home-office work models, the biggest security challenge facing most companies is the increased attack surface their networks are presenting to hackers, thanks to the pandemic. To stay on top of the thousands of remote devices being introduced to their networks, companies have been required to stay vigilant to the new avenues cybercriminals can take to breach their perimeters.
Acquirers need to check that target companies have invested in additional resources to accommodate additional remote users on their networks and whether or not the target has zero-trust practices in place, says Bradley. “Zero trust,” which treats every device that tries to log on as a potential threat, is a more straightforward solution than VPNs (virtual private networks), which have proved difficult to scale and are prone to break down.
“Unmanaged target employees’ devices, such as PCs, smartphones, gaming consoles, and IoT appliances, can increase the target’s attack surface,” explains Bradley. “Companies not equipped with proper endpoint protection and data loss prevention will continue to find themselves in catch-up mode.”
Finally, potential acquirers must gain an understanding of a target’s overall corporate culture, and that extends to the IT network and security professionals, says Bradley. This information gathering can begin during the pre-signing period in the document-sharing and interview phase of the acquisition process. It must include a review of the target company’s human resources policies and procedures and the target’s employee turnover rate, particularly of its IT enterprise technicians.
It’s also important to assess the ability of the company to attract top cyber talent and, even more important, its ability to retain this talent, as that gives a clear message of how successfully the company maintains and manages its network security. Of all the aspects of cybersecurity that should be attended to during an acquisition, network security personnel can be the most neglected. However robust a security platform is, it will quickly atrophy without the talent in place to operate and maintain it.