Know Your Risks: Why Cyber Due Diligence Matters in M&A

essidsolutions

Mergers and Acquisitions (M&A) were never straightforward because every company is different. However, the process was well understood and typically focused on finance, legal, business operations, and human resources. IT was just another department that could easily be merged. There’s no problem there, is there?

That’s probably what Verizon thought when they decided to acquire Yahoo, a deal that closed in 2017. Yahoo revealed it had been at the wrong end of two massive data breaches in the previous year. And Verizon’s response was to reduce its offer price by $350 million to $4.48 billion. 

The U.K. Information Commissioner’s Office (ICO) fined Yahoo! U.K. Services Limited £250,000 following a cyber-attack in November 2014. The incident was publicly disclosed in September 2016. 500 million international users of Yahoo!’s services were placed at risk.

In 2016, TalkTalk was fined £400,000. When it acquired Tiscali U.K. in 2009, it didn’t realize that Tiscali’s infrastructure included badly-secured Web pages, connected to an outdated Tiscali database containing 156,959 customers’ personal data, that remained Internet-accessible. The data was ‘harvested’ by a teenage hacker in 2015.

In the four months before Avast acquired Piriform in 2017, hackers gained access to Piriform’s network. A fortnight after the acquisition, those hackers injected malware into the installation file for Piriform’s CCleaner product.

In 2019, the international hotel group Marriott was fined almost £100m by the Information Commissioner’s Office after hackers stole the records of 339 million guests. The vulnerability began when the IT systems of the Starwood hotels group were compromised in 2014. Marriott acquired Starwood in 2016, but didn’t discover the breach until 2018. The ICO said that Marriott failed to undertake sufficient due diligence when it acquired Starwood and should have done more to make sure its IT systems were secure.

And just recently, we found out that former Uber CSO, Joseph Sullivan, had been charged by the US Department of Justice for his alleged role in funneling $100,000 to hackers to cover up a 2016 data breach. The breach exposed personally-identifiable information of 57 million people. Uber paid $100,000 in Bitcoins to the attackers to delete the data and buy their silence. However, Uber kept quiet about the breach. Sullivan hid information about the leak and misled the Federal Trade Commission to conceal the true nature of the incident. The hack was revealed in 2017.

These examples all highlight the importance of the cyber due diligence process.

Learn More: After the Storm: How to Recover From a Data Breach 

Is Your Target Investment Harboring Security Weaknesses?

IBM’s recent Cost of a Data Breach Report 2020 says that the global average total cost of a data breach in 2020 is $3.86 millionOpens a new window . The U.S. has the highest country average cost at $8.64 million. It also reports that 52% of data breaches were caused by malicious attacks, and 13% of malicious breaches are caused by nation state attackers. 

The other worrying statistic is that the average time to identify and contain a data breach is 280 days. Going back to costs, the report found that the average share of data breach costs incurred more than a year after the data breach is 39 percent.

The cost of fines for non-compliance alone must make every company considering a merger or acquisition wake up to the fact that cyber due diligence is, at least, as important a part of the process as any other.

GartnerOpens a new window suggests that, by 2022, 60% of organizations engaging in M&A activity will make cybersecurity the top priority in their due diligence process. In 2018, they estimated that figure to be less than 5%.  

As we can see from the examples above, it’s not just tech companies with proprietary technology, application source code, or other intellectual property that are under threat from hackers, it’s any company that stores personally-identifiable information about customers.

And It’s not just the corporate IT that needs to be examined as part of the due diligence process. Businesses are now interconnected with their supply chain, which hugely increases the attack surface available to hackers. The increasing use of IoT devices has also increased the risk to organizations. 

At the 2019 Black Hat conference in Las Vegas, Microsoft revealed that a Russian hacker group was using common IoT devices to carry out widespread attacks on corporate networks. Devices compromised included a voice-over-IP phone, a Wi-Fi office printer, and a video decoder, and these were used to access enterprise networks. 

Gartner predicts there will be over 25 billionOpens a new window connected IoT devices by the end of 2021. 

Learn More: Cost of Each DNS Attack Is in the Neighbourhood of $1 Million Globally: Survey

Tackling Cyber Risk in M&A

So, what exactly should cyber due diligence include? Firstly, the acquiring company will need to know about any significant cyber-related events that have occurred and their impact on the company to be acquired. Leading from that, they will need to be informed of the security controls that were in place at the time, and what changes were introduced following the event. 

They also need to know what security controls are currently in place and how those compare to the ones in place at the acquiring company. Are they adequate or could there be the potential for further security-related events to occur – possibly as yet undetected?

As mentioned above, this security audit needs to extend to vendors and contractors who may be part of the supply chain. Are they likely to be the source of a gap in cybersecurity? The acquiring company must have sight of any agreements with third parties that handle corporate or customer-sensitive data, etc.

Not all breaches are caused by hackers, many are the result of actions carried out by trusted employees. It may be that the breach was caused in error by an employee, who then hoped by keeping quiet that no-one would notice. It may be that an employee has been tricked by, for example, an email that appears to come from an executive asking for an invoice to be paid to a different account. 

Or it may be that an employee with gambling or drug issues has been coerced into accessing data that they should not be seeing and sending to the criminal gang. Or, it could simply be a disgruntled employee accessing data for their own ends. All of these activities, if they have occurred, need to be identified by the acquiring organization.

It’s not just internal sources of information that can be used, external sources can provide useful information and potential risks. So, for example, a search of the ‘Dark Web‘ may reveal corporate-confidential information that has been leaked or stolen. It may also provide a list of personally-identifiable information about staff or customers.

Looking in more technical detail at cyber due diligence techniques that can be used:

  • Pen testing – penetration testing provides an insight into how secure the IT system is of the target company.
  • DDoS testing – are there sufficient defenses against denial-of-service attacks? There must be.
  • Risk assessment – using industry-standard frameworks, such as NIST, PCI-DSS, HIPAA, GLBA, etc., the target company’s compliance with regulatory standards can be checked.
  • Phishing – is staff aware of the problems of downloading attachments or clicking on links in emails from unknown sources? Staff training needs to be in place.
  • Cloud review – is every aspect of cloud computing secure? If not, a full review must take place and appropriate changes made.

Learn More: 5 Employee Types Most Likely to Steal Company Data

Closing Thoughts 

Cyber due diligence is one of the most overlooked factors during the M&A process. It is part of the role of IT decision makers and the board to ensure that the acquiring company does not lose data because of an existing cybersecurity breach in the target company, nor will it pay huge fines, sometimes years later, because of the target company’s non-compliance with regulations. It’s only through detailed cyber due diligence reviews that the acquiring organization can fully understand the cyber risk potential of the target company. In addition, it will identify how the security strategies of the two organizations differ – something that will have to be dealt with quickly once the two organizations merge.

Do you think cybersecurity assessment should become a core part of M&A? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA