A glance at any media outlet shows that cyber attacks are more advanced and prevalent than seen in the past. Additionally, it is clear that virtually no company is immune to a cyber incident. Almost all companies and associations collect and store sensitive data, whether it is customer or employee data, intellectual property, or other confidential information.
Of the numerous topics covered during recent interviews was the rising costs associated with a cyber incident, which are often quite severe. For example, the costs associated with a data breach may include forensic and investigative activities, business continuity, downtime of business-critical applications, and lawsuits.
Did we mention that with the introduction of GDPR, a breach can be absolutely devastating?
Yet, none of these will nearly be as impactful as the impact on the organization's reputation. There is no legal action that will absolve a business in the "Court of Public Opinion".
If for a moment you doubt this, consider the single word "Target". Regardless of the future positive effects of the corporation's actions, their name will forever be synonymous with one of the most visible breaches of all time.
What does this have to do with M&A's?
Regardless of the true source of an incident, be it with the acquired organization or one of their many outside vendors, the responsible party is often defined as the acquiring organization. They will shoulder the penalties and the negative public opinion.
As the threat of cyber attacks increases, acquiring companies must be prudent to familiarize themselves with an acquisition’s cyber risks and remediation strategies. These efforts would include a deep understanding of warranties in the acquisition agreement and what insurance policies exist for cyber attacks. This is done for the sole purpose of minimizing the risk associated in the acquisition process.
Understanding and addressing cyber risks in connection with an acquisition is important for both parties. Understand that this is a non-negligible task. Getting a true grasp of this arrangement will be an undertaking, to say the very least.
Breaches can last for months or years after the acquisition is finalized. While the acquiring organization is getting a handle on an acquisition whose primary language is different and regulatory compliance could be even more so, the possibility of missing a critical configuration in the firewall or other technical control is extraordinarily likely.
Unfortunately, attackers are well aware of this dilemma. They are continually scanning for flaws and assets, such as “Shadow IT”, that the acquiring organization is unaware of.
Additionally, It is quite often the case that an acquiring company will take ownership of a smaller organization that doesn't possess the same maturity in regards to cybersecurity. If a breach is discovered the day after the acquisition, it is the newly minted owner's problem.
So, it is our recommendation that the acquiring party should define the absolute minimum requirements for the acquired party to join the network and other associated assets.
Continuing that line of thought, buyers must conduct due diligence to analyze the potential cyber risks associated with an acquisition target. Such due diligence may include:
- Full detail and outline of the identification of sensitive data and data assets,
- The location of sensitive data and data assets,
- Network diagrams of cybersecurity infrastructure,
- Confirmation of the presence of cybersecurity policies and procedures, including tabletop testing,
- Adequate and continual penetration testing, vulnerability assessments, and corrective follow-up.
In the context of M&A, the basis for adequately accounting for cyber risk for all parties is conducting a thorough investigation into the potentially acquired company’s cyber history, and its infrastructure and policies. Parties armed with this knowledge may then consider appropriate remediation steps, begin negotiations to attain realistic acquisition cost, and quantifying the costs associated with remediation and the timetables associated with Plan of Action and Milestones (POA&M).
Finally, no matter what actions take place... people will always be the greatest threat to a new merger or acquisition. Be it based on confusion or the deliberate act of a disgruntled employee that feels jaded during the acquisition, a human will be the biggest threat. Make certain that appropriate training is applied to the HumanOS.
Critical Path Security has an extensive history of working with organizations looking to merge with their first business or acquire their 10th. Reach out! We'd love to be part of the next chapter of your organization!