In today’s business world, mergers and acquisitions are commonplace as businesses combine, acquire, and enter various partnerships. Mergers and Acquisitions (M&A) are filled with often very complicated and complex processes to merge business processes, management, and a whole slew of other aspects of combining two businesses into a single logical entity. There have been cyber-attacks on companies during M&As, yet there is a growing concern with M&A activities and cyber security.
The use of alternative data sources is becoming more common during due diligence for both the buyer and seller of a business, what do you really know about the Cyber Health of the business? Has the target firm already lost its IP to another company or a foreign government? The basic financial ratios will not be of much help as a dark web investigation to see what is for sale or what has already been sold. Do not underestimate the importance of cyber threat intelligence for both sides of any deal.
There is no question that cybersecurity risks and threats are growing exponentially. A report from Cybersecurity Ventures estimated a ransomware attack on businesses would happen every 11 seconds in 2021. Global ransomware costs in 2021 would exceed $20 billion.[1]
It seems there are constantly new reports of major ransomware attacks, costing victims millions of dollars. Earlier in 2021, the major ransomware attack on Colonial Pipeline resulted in disruptions that caused fuel shortages all over the East Coast of the United States. It helped to show that ransomware attacks on critical service companies can lead to real-world consequences and widespread disruption.
This world of extreme cybersecurity risks serves as the backdrop for business acquisitions and mergers. A Gardner report estimated that 60% of organizations who were involved in M&A activities consider cybersecurity as a critical factor in the overall process. In addition, some 73% of businesses surveyed said that a technology acquisition was the top priority for their M&A activity, and 62% agreed there was a significant cybersecurity risk by acquiring new companies.
What risks are associated with mergers and acquisitions? There are several that include but are not limited to the following:
- Increased regulatory scrutiny
- Inherited cybersecurity risks
- Compromised accounts and passwords
- Lost or damaged customer confidence
- Data breaches in the acquired environment
Compliance regulations, such as cybersecurity, are growing more complex and challenging for businesses. For example, regulators scrutinize business deals, including mergers and acquisitions, to help protect the growing emphasis on data sovereignty and data privacy. From a cybersecurity perspective, businesses that merge or acquire other organizations must make sure data compliance is a top priority to prevent fines for non-compliance.
Companies must realize that even if they have a robust cybersecurity posture for their organization, the security dynamic can completely change with mergers and acquisitions. As a result, they inherit the cybersecurity challenges and issues of the acquired business. The acquiring company may inherit existing vulnerabilities, standards, risks, and cybersecurity liability as they assume control of the new business.
As was the case with the Colonial Pipeline hack in May 2021, compromised account passwords are often the culprit behind major data breaches and ransomware attacks. As a result, businesses must understand securing acquired accounts and directory services immediately and implementing breached password protection is a priority. Scanning the newly acquired environment for password vulnerabilities, reusing passwords breached passwords, and other password threats can help to quickly bolster the cybersecurity stance of the acquired user account assets.
Businesses that have combined due to a merger or acquisition may federate Active Directory accounts between them to access various resources. Password synchronization between on-premises and cloud directory services may also be in play. It further emphasizes the need to strengthen password security as accounts are granted access to additional business-critical resources.
Businesses must take care of any merger or acquisition from a customer perspective. Any misstep, including handling cybersecurity during an acquisition or merger, can lead to customer mistrust and lost business. The acquiring company that has merged or acquired another company inherits the cybersecurity challenges and risks of the newly acquired environment. These risks include any potential data breaches. Knowledge of a data breach event can even stall or block a potential merger or acquisition once known. Data breach events can also go undisclosed to prevent any issues with the merger or acquisition.
Cybersecurity and compliance checklist for M&A
1.) Form an M&A Cyber Security Team
Businesses often have excellent reasons for engaging in M&A activity. However, as discussed thus far, it can lead to additional cybersecurity risks. Forming an M&A cybersecurity team is a great idea to accelerate addressing the cybersecurity tasks involved with the M&A. This team may report to the CIO and should undoubtedly include cybersecurity leaders found on the security teams and key business leaders within the organization. This team will be directly responsible for formalizing the reporting structure for addressing the cybersecurity risks discovered with the M&A activity. The team will also help to align the overall business on both sides for a consistent cybersecurity posture.
2.) Review the Target Business Cyber Security Posture
The M&A cybersecurity team will be instrumental in reviewing the target business cybersecurity posture. The review of the target organization's cybersecurity landscape should include:
- A cybersecurity risk assessment
- Review of security policies and procedures
- Recent audit reports
- Any breach reports that have happened recently or in years past
- Audit of accounts and account access permissions across the organization
3.) Inventory all Physical, Digital, and Data Assets of the Target Organization
To properly understand the cybersecurity risk involved with an M&A of another organization, businesses must understand the complete inventory of all physical, digital, and data assets. Understanding and having a comprehensive inventory of these items allow full disclosure of the cybersecurity risks involved.
4.) Review the Risk Assessment
Any M&A activity means an organization needs to revisit its risk assessment. Even a recent risk assessment has now changed due to the reasons we have already covered (inherited cybersecurity risk, any security or compliance challenges, etc.).
5.) Engage a Third-party Security Company
The M&A cybersecurity team may include a wide range of technical expertise with a wealth of experience in many cybersecurity disciplines. Even with talented team members, organizations may opt to engage a third-party security company with the technical and staffing resources to help with cybersecurity discovery, remediation, combining security resources, and many other tasks.
One of the blind spots with any merger or acquisition can be weak, reused, or even breached passwords lurking as a hidden cybersecurity threat. Keylogger accounts offer easy access for hackers to any organization. Ask for help, as the stakes are too high for allowing unauthorized access to systems and networks.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Our company has helped companies with M&As in the past by providing dark web threat intelligence. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
[1] https://thehackernews.com/2021/11/the-importance-of-it-security-in-your.html
Comments