If a thorough cybersecurity audit isn’t a part of your mergers and acquisitions due diligence process. I think it should be. I’m not talking about the kind of halfhearted scan that checks a box for the board of directors. There’s too much at stake to do anything less than a deep examination of all network and endpoint elements that can reveal undetected compromises and lurking threat
Most recent global mergers and acquisitions activity in the first three quarters of 2018 was valued at $3.3 trillion. That’s a lot of capital in play, and for every deal made. The due diligence process focuses on finances and compliance to ensure that the acquiring party knows as much about the target organization as possible.
Due diligence is necessary to set a fair price, protect shareholder interests and establish confidence that the purchase makes sense — or not. Due diligence also gives management a basis from which to establish a strategy for successful business and market integration.
Verizon And Yahoo
After Verizon announced its intent to acquire most of Yahoo’s core business. Assets for $4.8 billion in 2016, Yahoo disclosed data breaches from 2013 and 2014 affecting more than 1 billion user accounts. Security revelation put the deal in jeopardy, and by the time the acquisition was finalized. Yahoo’s board agreed to a discounted price of $4.48 billion. In January 2019, the company’s former officers and directors agreed to pay $29 million for a breach of fiduciary duties associated with their handling of those breaches.
In November 2018, Marriott International disclosed a data breach affecting approximately 500 million customers. An investigation of the incident revealed that a guest registration database for its Starwood properties had been compromised in 2014 — two years before Marriott’s $13 billion acquisition of the company. The hack remained undetected for four years. Before the company discovered that someone had copied and encrypted customer information and attempted to exfiltrate it.
Both of these cases reveal the risks and costs associated with cybersecurity breaches when a merger or acquisition is in the works. In the former case, Yahoo’s discovery and disclosure of an existing data breach cost the company approximately $350 million. When the terms were renegotiated. In the latter, there’s no telling what the final bill may be when legal, administrative, technical and other costs. Including those incurred as a result of the loss of brand trust — are tallied. Both cases also show how devious hackers can be. How insidious the threat is and why a more rigorous cybersecurity process is often necessary as part of due diligence.
Where cybersecurity is involved in due diligence. The search usually falls under the responsibility of whoever is examining an organization’s IT systems and assets. And the emphasis is usually on the present state of security: You’re usually looking for evidence of a breach. The problem is that cybersecurity risk from a mergers and acquisitions perspective should not be about what has happened, but about what vulnerabilities are being introduced and what could happen as a result.
To protect their interests, acquiring companies may need to establish protocols. That give them confidence that they not only know the state of security for the enterprise they’re purchasing but also the potential risks associated with the organization. This can give them the opportunity to examine any clues they find to ensure there are no lurking dangers. And for both organizations to take measures to address them in advance of closing a deal.
I believe such an examination should focus on four areas:
Hackers intent on compromising an enterprise will usually probe myriad points of entry, including targets like unsecured web servers and devices or user accounts with weak, default or no passwords. They also may use techniques like phishing emails. Test for scenarios that could allow an employee to download malware, whether intentionally or unintentionally.
• Lateral movement
Once inside your network, hackers need to find ways to move around without being detected and find the assets they’re looking for. They may also look for ways to silently monitor traffic for weeks, months or even years to gain information, such as user credentials, that will help them in the future. Test for scenarios that could allow malicious network traffic from untrusted, low-security locations into high-security locations within the network.
After a hacker has located their objective, they need to move that information out of the network and into their possession. Test for scenarios that could allow an employee to send sensitive information to an outside device or recipient.
When a hacker’s goal isn’t the direct theft of data, endpoints — physical devices like servers, laptops or other equipment connected to the network — can be targeted and held hostage by ransomware attacks that threaten to destroy valuable data unless the victim complies with a hacker’s demands. Test for scenarios that allow an employee to download and execute ransomware on a given device.
A superficial scan might find that one of these areas has been compromised, but because sophisticated hackers don’t often engage in “smash and grab” attacks. It can be easy for them to elude detection by simply being patient. A more thorough due diligence process has a better chance of uncovering a successful breach by identifying and investigating vulnerabilities. Just as important. Even if an existing vulnerability hasn’t yet been exploited by a hacker. Rigorous due diligence can give an organization the opportunity to remediate, thus preventing a potential attack
In this age of mega breaches, it makes sense to establish due diligence. Best practices that include a thorough examination of the state of security based on the current threat environment. Whether your organization is in the market or on the market, understand that the risks are real. Potentially costly and likely need to be acted on to minimize the chance of introducing new threats to your enterprise. Be proactive and forward-looking with your security due diligence to uncover evidence of past compromise and to identify weaknesses that may need to be fixed before merging infrastructures