Several high-profile attacks early in the year made cybersecurity one of the first orders of business for the incoming Biden administration. With an executive order, President Biden ordered several federal government agencies to put together plans to strengthen the nation’s cybersecurity. But national security isn’t the only thing at risk from cyberattack. Dealing with the chances of cyberattacks has become a big part of managing every medium to large-sized business. As a business owner, you already know how well your operations stack up on M&A cybersecurity.
You are aware of any incidents that have happened, what steps are in place to stop incidents from happening, and what steps are to be taken when they do. As you look to expand your business through mergers and acquisition, though, there’s an entire organization you’ll soon be joined with that has a black box for a cybersecurity record. Peering into the black box to know what you’re getting yourself into is becoming increasingly important.
Why Cybersecurity Is One of the Most Important Pieces of M&A Due Diligence
Technology has always transformed the way we do business. In today’s world, that transformation comes through the usage of massive amounts of digital data. This large data comes from networked sources and is gathered via computers, IoT devices, mobile devices, and more. All of these devices present an opportunity for cyberattackers to exploit. With great flexibility, this allows businesses to come to a great vulnerability. A security breach can cripple a business’s finances and irreversibly damage its reputation among customers.
As a routine part of M&A due diligence, it then becomes vital to understand how the target business uses data, which vulnerabilities may exist, and what the potential consequences of a security breach are. Such vulnerabilities are the same as any other liability that the target company may have. Improper evaluation of trade-offs could mean the difference between a successful M&A transaction, and disaster.
Biggest Cybersecurity M&A Fails
The potential for an M&A transaction to become a cautionary tale isn’t just hypothetical. In fact, there are some high-profile cautionary tales that came from cybersecurity woes during the merger and acquisition phase. Let’s look at some of the big ones.
Experian and Court Ventures
Credit rating giant Experian purchased Court Ventures in 2012. The target company’s primary business is collecting court records. While the documents of this primary venture contain limited personally identifiable information, the company had an arrangement with US Info Search. Court Ventures customers could access the US Info Search database to lookup addresses. After Experian’s purchase, they found out that a Vietnamese national posed as an American businessman to purchase data from the US Info Search database through Court Ventures for illegal purposes. The ordeal was a PR nightmare for Experian, as the news left people with the impression that Experian’s own databases had been compromised.
Verizon and Yahoo!
Though not the search giant it once was, Yahoo! is still a big name in the technology sector. Predictably, Verizon was excited when it had the opportunity to purchase Yahoo! and quickly made an announcement to let the public know of its acquisition. Unfortunately for Verizon, two major cybersecurity attacks on Yahoo! were made public after the announcement. One of the data breaches even gave the attacker access to security question answers. This could have put accounts across a wide range of websites at risk. The attack breached over 1 billion accounts. Yahoo! lost $350 million worth of value and Verizon was on the hook for part of the liability.
Marriott and Starwood
When Marriott purchased Starwood Hotels & Resorts in 2016, it made itself the largest hotel chain in the world. This was not only a big deal for the company but a highly publicized deal. What they didn’t know at the time was that Starwood’s reservation system had a security vulnerability that dated back to 2014. In 2018, disaster struck and the reservation system was compromised. In addition to personal data of 500,000 customers leaking, Marriott faced a $123 million fine.
Hackers Even Targeting M&A First for Insider Trading
Insider trading is a serious crime that can come with substantial jail time. Of course, to get the inside information about business deals that one can take advantage of in the stock market, it’s necessary to be an insider. However, at least one group of cybercriminals found a way around that particular problem. By targeting the systems of companies in the process of an M&A transaction, the hackers are able to get personal information on CEOs and other executives. With that information, they can gain access to confidential communications that allow them to make the same trades that an insider would, without actually being on the inside. This news makes it even more important to ensure that the cybersecurity practices of both companies involved in an M&A deal are up to snuff.
Cybersecurity Concerns During M&A Due Diligence
As you begin to conduct cybersecurity due diligence during an M&A transaction, it’s important to talk to IT leadership. Business decision-makers have some idea of what their company’s security picture looks like. However, they won’t understand the issues as well as those in the IT department. Getting an expert to answer your questions is crucial to getting meaningful answers. It’s equally important to ask the right questions. At a minimum, you should get answers to the following:
Have There Been Any Incidents?
Understanding which incidents the company faced and how they responded gives you a clue about their overall security picture. If many incidents have occurred, there may be something lacking in their current cybersecurity efforts. This is especially true if there are many incidents of the same type.
What Security Measures Are in Place?
Any company of a reasonable size should have a plan in place to prepare for, detect, and respond to security threats. Knowing what measures are in place at the target company and how they compare to your own practices will give you a better idea of where you are starting from and where you need to go.
Has There Been Any Pentesting Done?
Penetration testing puts security systems under real-world attack by a trusted security professional. This “attacker” will attempt to gain access to the system using the same strategies an actual attacker would. If pentesting has been done, you should also ask what the results were, and what the organization took from the exercise to further improve security.
Are There Compliance Requirements for the Organization?
There are a number of compliance regulations that affect various business sectors and types of data. These include NIST, CMMC, PCI DSS, ISO 27001, SOX, SOC 2, and others. Before you finalize an M&A deal, you should know what compliance issues you’ll be taking on and whether or not the target company is currently in compliance.
Cybersecurity Before and During a Post-Merger Migration
As you begin the process of merging the target company’s systems to your own, you’re presented with the perfect opportunity to take some basic cybersecurity precautions. It’s always possible that the credentials of staff at the target company have been breached without their knowledge. Alternatively, dormant threats exist in their system waiting to attack. For that reason, set up multi-factor authentication for every employee. Because MFA greatly reduces the chances that an account will be compromised, setting it up is the easiest first step towards mitigating a cybersecurity disaster.
Eventually, you want to set up conditional access rules within your network. The problem maintains difficulty in knowing exactly what impact the rules have when merging with an existing operation that has its own moving parts. Thankfully, Microsoft has a feature in place for Azure that makes it easier. When setting up conditional access, you can opt into report-only mode. This mode will log what the results of the access rules would be without actually enforcing them. Doing so gives you a better picture of how your rules impact the migration and allow you to refine them. It also lets you see if any strange access attempts occur.
Learn More About M&A Cybersecurity
Some organizations have very loose rules about who they give admin access to. On top of that, roles and responsibilities often change during the migration process after a merger or acquisition. For that reason, review all of the admin roles in place to ensure that people have access.
Sometimes, a staff member may need temporary access to privileged data or secure parts of your system. Granting them full-time access for temporary needs is a security threat. Microsoft’s privileged identity management allows you to grant access to the staff member on a temporary basis, and monitor their activities as they access the data and go about their job.
Agile IT has over a decade of experience in Merger, Acquisition, and Divestiture processes in Microsoft 365. Additionally, we have vast experience in regulated industries including Finance, Healthcare, and Defense, as well as international retail and service brands. To find out more about how we can help before, during, and after the M&A process, contact us to schedule a consultation.