Assessing the cyber security related risks of a target company is an important step in any merger or acquisition. This article explores the steps acquiring companies should undertake to understand the cyber security posture of a target. Acquiring companies need to understand cyber related risks of a target and to accept, reject, or transfer them before they make, or decline, the deal.
Last weekend over dinner at one of my friend’s place, who is a Mergers & Acquisitions “M&A” Partner with a consulting firm, asked me: how would I assess the cyber security related risk of a target acquisition? The question is very relevant in this day and age that we live in, where cyberattacks are a daily occurrence. Corporations with deep pockets and robust IT Security programs have also not been immune to attacks; if not directly, then through a third party. I am no M&A expert in commenting about different types of organizational risks that a purchasing company assesses about its target to make an informed decision. But if they are not assessing the cyber security related risks of the target company, then I can with utmost certainty say they are speculating, and not making an informed decision!
So what should a purchaser look for? To start with, I suggest a basic sanitation check; get the target company’s information security policies and plans to get more details about their information security programs, policies, and procedures. Evidence of them having followed these policies and procedures will provide the acquirer with some comfort that the target did not just have these documents to check boxes to fulfill some compliance needs, but that they actually believe in cyber security and follow it diligently.
A quick review of just these documents and supporting evidence will provide initial insight to a CISO/CIO as regards to what they are getting into. A target having a sound configuration and vulnerability management policy in place is also a good sign. Another would be their cyber security training program, up to date program with information on common security practices, current threats, and tools, techniques and procedures (TTPs) for attacks which shows maturity of the information security organization of the target.
I would not just stop there but go further. I would look at their data retention, protection, and privacy policies also to see whether the enabling systems are adequately designed and implemented. This can give better confidence that the “Intellectual Property” you are acquiring of the target is protected (but don’t be too sure) and also potentially minimize the risk of any PII data loss post purchase.
Their access control policies and the robustness of their access control logs will give an indication of how vulnerable they might be to insider threats. If they have multifactor authentication put into place and follow it as a practice, then they are better off than many of their competitors. Scrutinize the implementation of physical controls around key servers and adherence to proper ingress-egress policies to minimize data theft. M&A’s are susceptible to insider trading risks so access control strategies like “need to know” and “segregation of duties” are good practices, which should have been put in place by the target.
The Safest Bets for now…
To me, the best is that target organization which has a very clear understanding of all their physical, hardware and software assets, which will help them differentiate between their critical and noncritical assets. They should have classified their assets on the basis of the three key security factors of Confidentiality, Integrity and Availability (CIA) and put security controls in place based on those. They should understand the impact of different type of the breaches or attacks and have clear measures of the CIA impact of those breaches. In addition to this, they should be firms who just do not focus on information security compliance but are focused on actively monitoring their cyber security assets and improving their cyber security programs by interacting with external threat intelligence sources to continuously apply safeguards on their networks. They continuously improve their training programs to enlighten their employees about the latest threats and how these can impact their systems. Their employees understand the importance of “data hygiene” and such practices are ingrained in their daily operations.
And as Steve Jobs would say, “One Last Thing”
Don’t underestimate the risks from a third party! The purchasing company should also check out the third party relations and contracts that the target company has, especially in terms of the IT operations they have subcontracted/outsourced out to onshore, offshore, or cloud. Also, the access they have granted to their third party personnel or companies, the data they have shared with them, and the security policies of the third party as regards to the systems they operate on behalf of the target and the data they hold with them should be assessed. Small businesses are typically slow in adopting latest IT technologies, so they may not be sophisticated enough in protecting their cyber assets, leaving them very vulnerable to breaches.
I also have “One Final Thing”
As part of the contract, the purchasing company should have an option to bring in experts to run forensics on the targets systems in order to have an independent assessment of the target’s information resources and to analyze their logs and identify instances of any breaches. This practice will definitely provide maximum confidence to the cyber security risks that the purchaser is ready to take on with regards to the potential benefits of the M&A decision.
Are you still protected…?
Well, this is where I am not sure; try as best as it can to protect itself from the cyber security risks of the target and taking all steps, including running forensics on the target systems, the purchaser can still not be 100% safe, because deep inside the targets network, or even the purchaser’s own network, may be lurking an advanced persistent attack “APT” launched by a motivated and persistent adversary that is waiting for just such an opportunity to launch an attack for political gain, financial gain, revenge, or hacktivism. Timing in cyber security attack is very important as in other aspects of life, and M&A activity may just provide that opportunity to an adversary.
So, in summary, the purchaser needs to be careful of cyber related risks of the targets and follow as stringent measures as they can to understand those risks and to accept, reject, or transfer them before they make the deal. However, in the end, it is all a business decision!
Jitendra Chandna is a Cybersecurity expert providing valuable insights about how to safeguard against cyber security related issues. He firmly believes that using common sense and responsible behavior, companies will be able to thwart 80% of the attacks for the other 20% he is helping develop Analytics driven solutions. He also loves to work with startups is helping refine the offerings and develop their market strategies.