Due in no small part to the steady stream of high impact, high-profile breaches, cybersecurity has evolved from a niche worry to a serious business-level concern. A breach can lead to lost intellectual property, weakened credibility in the eyes of the public and a host of other undesirable consequences.
One area of risk that is often overlooked is the impact that poor cybersecurity can have on mergers and acquisitions (M&A). In the context of an M&A transaction, it is critical to understand the nature and significance of the risk profile in the organization’s network. This evaluation could have a huge impact on the value the acquirer places on the target company and will influence the successfulness of the deal.
For example, the disclosure of two massive data breaches that recently effected a large web services provider had an immense effect on the deal price. Following the breach, the acquiring company paid hundreds of millions of US dollars less than originally planned.
To avoid such a situation, what are the main cybersecurity risks that come with M&As, and how can these be mitigated?
The Insider Threat
Employees really are the first line of defense of any organization from a cybersecurity perspective. One of the highest periods of risk for insider threats occurs during M&A activities because the workforce is concerned about their jobs and well-being. Having a thorough identity and access management strategy that includes the deployment of tools and process can provide a foundation for mitigating insider threat. It enables organizations to integrate systems with user behavior analytics and/or security information and event management. This allows for more granular control and auditability before, during and after the transaction.
Additionally, it’s imperative to train employees and make them aware of common risks, best practices and their place in the larger cybersecurity picture. By educating employees, we are less likely to see potential breaches. In the process of onboarding new employees through M&A, the acquiring business should audit and run them through full awareness training and have them sign up to revised security processes, ensuring that the entire workforce is upholding the same level of security practices. However, organizations can’t be complacent after the onboarding is complete.
Every new employee should go through cybersecurity awareness training – at Optiv, we recommend training be done at least annually.
"In the context of an M&A transaction, it is critical to understand the nature and significance of the risk profile in the organization’s network"
Technology Sprawl
As is often the case with M&A, not only does the workforce merge, but so do the IT and security teams, and the technology used across the business. Many enterprises are constrained by years of legacy cybersecurity solutions, an inconsistent technology sprawl fueled by acquisitions and best-of-breed products purchased by organizational siloes can hamper the adoption of new tools.
Consequently, companies may have to purchase and maintain multiple security products from many different vendors. This presents challenges because various products don’t always operate seamlessly with one another and organizations have to manage an ever-increasing network of third-party vendors.
Optiv recently worked with a large financial institution that had suffered a massive data breach following a merger. Our role was to take stead of the tools they were using, and what wasn’t benefiting them. Optiv found that about 10% of the tools that they were using overlapped, which meant IT resources were not being spent on updating and configuring all the systems, which compromised the network’s endpoints. This left cracks in the security foundation and allowed cyber-criminals to penetrate their operation.
We then optimized each tool to perform the way they were supposed to be performing. The client then hired our consultants to continue to operationalize their environment and keep systems up and running.
Addressing Compliance Concerns
Finally, businesses need to be aware of how compliance will have an impact on due diligence procedures. It’s important for all organizations involved in the M&A process to have a GDPR plan in place, looking at their security and privacy programs holistically and implementing and maintaining a plan that is built with people, process and technology in mind. If one party is not compliant, this could have major ramifications. All parties need to understand GDPR and other compliance regulations as it relates to the business and then activate a plan to meet those obligations. This can be achieved by analyzing what data is critical to the business, developing a proper classification scheme for ongoing data management and then protecting this data accordingly.
Managing information security is challenging enough. Managing through a merger or acquisition can be exceedingly difficult. Combining people, systems and processes often opens up new risks, as well as pathways to attack just when adversaries know that you are most vulnerable. Businesses need to manage information security challenges across multiple environments, linking data management, information resources and security considerations in these times of change. To meet due diligence and GDPR regulations, it’s imperative to take a strategic approach, not only at the initial integration but looking into the future as well.