The CISO’s M&A Survival Guide
When your CEO goes shopping for a merger or acquisition, don’t let the company get caught with its defenses down.
Despite a global slowdown in dealmaking—as touted this week by The Wall Street Journal—mergers and acquisitions (M&As) are still very much alive.
While it’s true that economic uncertainty, and the war in Ukraine, have effectively tapped the brakes on deals, business leaders are still seeking them out where they make sense (See JetBlue and Spirit Airlines). Last year, the value of global M&A transactions reached $5.1 trillion, up from just $3.8 trillion the year prior, according to accounting firm KPMG. Despite a recent slowdown in transactions, the desire for M&A among executives remains robust.
But in their rush to acquire and merge, CEOs and their boards often leave cybersecurity out of the dealmaking loop. In some cases, the result has damaged corporate reputations and brands, led to massive regulatory fines, and triggered the reevaluations of major bids by as much as $350 million.
Identify and contain adversaries before they can spread across your network.
Managing a cyber incident before, during, or after a transaction can be extremely distracting. “Cyber leaders must ensure that they can support the business in driving growth and generating revenue, and there are already enough variables in play during an M&A situation,” says Shay Colson, a managing partner at computer forensics and investigation firm Cyber Diligence.
It’s helpful to think of cybersecurity as the bass player in an M&A deal—laying down a solid foundation but working in the background.
If corporate suiters don’t properly address cybersecurity, they can expect dealmaking surprises to continue. To help lessen those gotchas, and provide security leaders with a tool kit to advise their C-suite, Endpoint surveyed chief information security officers (CISOs) and others for the following best practices:
Get into the M&A deal loop
The earlier the CISO gets up to speed on a deal, the better. Unfortunately, because of the need to keep negotiations secret during the early stages, only a handful of executives are usually privy to potential deals.
But that shouldn’t keep CISOs from whispering into the ears of executives ahead of any potential acquisition. “CISOs need to understand if their organization has an acquisition strategy or whether it’s something that could happen in the future,” says Theresa Payton, CEO at security consultancy Fortalice Solutions. “If so, briefing your C-suite ahead of time can help you a lot.”
CISOs need to understand if their organization has an acquisition strategy or whether it’s something that could happen in the future.
“I think most CIOs and CISOs know this, but it’s always a helpful reminder that cyber isn’t the star of the show in M&A,” says Colson. “By the time the deal teams are in place and moving, it’s highly unlikely that a cyber finding will kill the deal.”
Colson says it’s helpful to think of cybersecurity as more like the bass player—laying down a solid foundation but usually working in the background to support the other performers. “That takes a certain level of humility but leads to consistently better outcomes during the diligence phase and after the deal has closed,” he says.
Not being at the deal table doesn’t mean the interests of CISOs have to go unrepresented. They should reach out ahead of any deals and educate the CEO, board members, and other senior leaders about the risks and the importance of getting cybersecurity right during any merger or acquisition.
Prepare business leaders with the right questions
It doesn’t take many questions to get a sense of the maturity of a cybersecurity program at an M&A target. Executives involved in the early stages of a deal can make a few strategically placed inquiries to start the cybersecurity due diligence process without the CISO actually being in the room, according to Payton of Fortalice Solutions.
Questions vary by industry. For example, healthcare organizations may ask about protections for sensitive personally identifiable information, while software companies might evaluate the security of software development processes. Company execs might try to identify the CISO or CIO who solely manages a target company’s cybersecurity efforts.
[Read also: Making sure there are security leaders in charge is one thing—here’s how to get CEOs to actually listen to them]
“Not having a person in charge of security at a decently sized business, or if there are no real secure software development processes defined, those are serious red flags,” says Payton. Also, ask about their multifactor authentication approach related to the movement of money or sensitive data, she suggests. “If they respond, ‘What is that?’ then you have your answer.”
Do your due diligence
As much as is practical before a deal is completed, it’s important to understand the security posture of the merger partner or acquisition target. What security programs and controls are in place? What are the gaps between the security programs of the organizations involved in the deal?
I can find the soft underbelly of technology and process in three days or less.
The American Institute of CPAs specifies how organizations should manage customer data and has created a voluntary compliance standard, called SOC 2. While some companies may have current SOC 2 compliance reports that indicate their level of information technology and security maturity, in many cases the target company should also complete a third-party assessment.
Such an assessment will provide reasonable assurance that the company isn’t negligent and will help prepare for a deeper dive post-merger or post-acquisition.
[Read also: 5 steps for evaluating cybersecurity before an acquisition]
Even before a deal is signed, it’s time to start planning for the longer-term security initiatives that need to follow, particularly when the organizations involved are similar in size and maturity. Companies that will acquire multiple companies should consider developing integration playbooks for key security areas, such as identity management, authentication and authorization, auditing and logging, backups, and vulnerability management. And they should ensure that controls are consistently applied to newly acquired companies.
Conduct a post-deal risk assessment
Once the contracts are signed, it’s crucial to get an assessment started as soon as possible. Find out who will be responsible for mitigating any risks an audit uncovers and establishing milestones to address those issues. This includes activities that would help assess baseline risks, such as conducting penetration and web application testing.
You need to know what you’re going to be protecting. That’s impossible without appropriate inventory.
Eric Galis, CISO at education technology company Cengage Group, advises enterprises to base their assessment methodology and integration plans on the same framework that guides their own security strategy, whether NIST 800-53 or the Center for Internet Security’s Critical Security Controls. “This ensures consistency and allows for stronger integrations into current cybersecurity practices,” says Galis.
A critical area to understand is the dataflow within the acquired organization, says Glenn Kapetansky, CSO and technology capability lead at business consultancy Trexin Consulting. He advises CISOs to meet with directors or other executives who lead IT functions and ask them to trace their dataflow from testing through production. Risk lies buried in data, data access, and data handling, and can materially affect company valuation, he says. Mitigating that risk should remain a high priority throughout the merger or acquisition process, and after the fact.
“I ask about the applications surrounding the data in application testing, user acceptance testing, production, and the systems and infrastructure,” Kapetansky says. “Finally, I ask about the processes and roles in their software development life cycles. Invariably, I find the soft underbelly of technology and process in three days or less.”
[Read also: Software development is what most business leaders worry about. It’s time more started asking about software supply chain security]
Additionally, it’s also vital to conduct a comprehensive inventory of applications and other networked assets that will need to be assessed after the merger or acquisition is completed and the consolidation of the separate technology stacks begins. “You need to know what you’re going to be protecting, and that’s impossible without appropriate inventory,” says Anthony Catalano, national cyber lead for private equity at RSM US, an audit, tax, and consulting firm.
Integrate the two company’s security teams
Finally, successfully merging the security teams from each organization will lay the groundwork for long-term success. While it’s certainly important to understand the security profile of a merger or acquisition target, it’s equally necessary for leaders to know how they’re going to secure the newly formed organization moving forward.
“Perform risk analysis and audit both departments’ representatives to see their strengths and weaknesses,” says Wojciech Syrkiewicz-Trepiak, a security engineer at infrastructure code provider Spacelift. “Bring them into one room and talk together. If you have talented team members on both sides, let them do their jobs by defining the goals.”
Assess the next deal, and the one after that
Ultimately, companies need to be looking to the future and the next deal. CISOs should not only make sure they are brought into any future M&A early, but they should also look for ways to use the merger or acquisition as an opportunity to justify steps to bolster their security budget.
“There are often one-time merger costs that your company will be allowed to charge off as an expense,” says Payton. “This is a great opportunity to find areas with a valid tax reason that applies to the merger, that could justify additional security tools.”
And with sizable threats looming after a deal, what CISO doesn’t need more tools at her or his disposal?