Why Evaluating Cybersecurity Prior to Mergers and Acquisitions is Necessary
Timely response and proactive investigation can help lessen the potential negative impact poor cyber hygiene can have on a business acquisition
Given the rise in third party breaches, including successful wide-scale attacks against major technology providers such as Solarwinds and Microsoft, Third Party Risk Management (TPRM) is becoming a critical concern for security teams responsible for the secure integration of third party systems and infrastructure during mergers and acquisitions.
M&A Process Changes
The due diligence process is no longer limited to the traditional concerns around finance, contracts, liabilities, information technology, and key man risk. Cybersecurity is now a major focus during the M&A process.
With limited review time to evaluate security risks, firms engaged in mergers and acquisitions must hone in on specific areas of cybersecurity and dangers including “outside the firewall” if they are to successfully identify and mitigate risks associated with their investments.
Here are 6 focus areas M&A firms should evaluate in their due diligence process:
1. Security Engineering and Operations Management: Work that requires a dedicated security team is too often managed by IT. Many organizations have only a single IT manager with a small cross functional team. In the best cases, companies have an accompanying MSSP or MDR vendor, but that still doesn’t guarantee the level of security necessary to mitigate investment risks.
Maturity levels vary between organizations, but a moderate sized company lacking contemporary security controls, such as identity and access management (IAM) or vulnerability management systems, tends to be a red flag that larger issues may exist that investors and firms should be aware of. It is of particular concern when these organizations are responsible for safeguarding PCI, HIPAA, or maintaining other regulatory compliance.
2. Vulnerability Management: Many organizations still lack an effective vulnerability management capability and seemingly struggle with asset inventory, configuration and release management, and timely patch management. The absence of these fundamental practices creates an expanded attack surface and one that is increasingly leveraged by advanced threat actors and should be viewed with caution. Learning what vulnerabilities exist before you acquire can help you identify the type of investment necessary in bolstering protections should a purchase go through.
3. Endpoint Security Management: An effective endpoint security management solution must match the sophistication of threats targeting a business. End user systems and devices are a primary access vector utilized by attackers for initial access into corporate networks. Insufficient visibility and security controls at the endpoint can ultimately lead to widespread internal compromise of critical systems and adversary access to sensitive data. Remote and dispersed workforces increase the threat of compromise via endpoint systems and devices.
4. Network and Data Access Management: Effective network and data access management is a challenge for companies small and large, increasingly so with geographic expansion and today’s remote workforces. Legacy network architectures still plague many organizations. Coupled with the lack of reliable segmentation and consistent access controls restricting access to network shares and repositories, these companies needlessly expose themselves to increased risk. Sensitive data, systems, and infrastructure create an expanded internal attack surface.
5. Incident Response Management: Organizations often lack incident response management capabilities and struggle with integrating emerging technologies, enhanced monitoring, and the establishment of playbooks and processes. An organization’s maturity and experience with incident response management often serves as a good litmus test for the general security posture and its ability to respond to current and future threats.
6. Adversary Emulation: Adversary emulation assessments and red teams are great tools for testing security controls and evaluating existing threat detection capabilities. Due to resource constraints, small and medium sized businesses tend to rely on external vendors with inconsistent results. Those same resource constraints translate into undone, incomplete, or sporadic reassessments, which leaves mitigation and remediation findings on the paper they were written on and no further.
While cyber due diligence has yet to become commonplace in M&A transactions, the consequences of failing to identify risks and active campaigns can have costly implications. You can do your part in mitigating risks by incorporating these key steps or by partnering with an organization that can help you understand the breadth, depth, and complexity of the challenges you are about to adopt. Timely response and proactive investigation can help lessen the potential negative impact poor cyber hygiene can have on your new acquisition.