Last weekend over dinner at one of my friend’s place, who isa Mergers & Acquisitions “M&A” Partner with a consulting firm; asked mehow would I assess the cyber security related risk of a target acquisition? Thequestion is very relevant in this day and age that we live in, wherecyber attacks are a daily occurrence. Corporations with deep pockets and robustIT Security programs have also not been immune to attacks, if not directly thenthrough a third party. I am no M&A expert in commenting about differenttypes of organizational risks that a purchasing company assesses about itstarget to make an informed decision, but if they are not assessing the cybersecurity related risks of the target company then I can with utmost certaintysay they are speculating, and not making an informed decision!
So what should a purchaser look for? To start with, Isuggest a basic sanitation check; get the target company’s information securitypolicies and plans to get more details about their information securityprograms, policies, and procedures. Evidence of them having followed thesepolicies and procedures will provide the acquirer with some comfort that thetarget did not just have these documents to check boxes to fulfill somecompliance needs, but that they actually believe in cyber security and followit diligently.
A quick review of just these documents and supportingevidence will provide initial insight to a CISO/CIO as regards to what they aregetting into. A target having asound configuration and vulnerability management policy in place is also a goodsign. Another would be their cyber security training program, up to date programwith information on common security practices, current threats, and tools,techniques and procedures (TTPs) for attacks which shows maturity of theinformation security organization of the target.
I would not just stop there but go further; I would look attheir data retention, protection, and privacy policies also to see whether theenabling systems are adequately designed and implemented. This can give betterconfidence that the “Intellectual Property” you are acquiring of the target isprotected (but don’t be too sure) and also potentially minimize the risk of anyPII data loss post purchase.
Their access control policies and the robustness of theiraccess control logs will give an indication of how vulnerable they might be toinsider threats. If they have multifactor authentication put into place andfollow it as a practice then they are better off than many of theircompetitors. Scrutinize the implementation of physical controls around keyservers and adherence to proper ingress-egress policies to minimize data theft.M&A’s are susceptible to insider trading risks so access control strategieslike “need to know” and “segregation of duties” are good practices, whichshould have been put in place by the target.
The Safest Bets fornow…
To me, the best is that target organization which has a veryclear understanding of all their physical, hardware and software assets, whichwill help them differentiate between their critical and noncritical assets.They should have classified their assets on the basis of the three key securityfactors of Confidentiality, Integrity and Availability (CIA) and put securitycontrols in place based on those. They should understand the impact ofdifferent type of the breaches or attacks and have clear measures of the CIAimpact of those breaches. In addition to this, they should be firms who just donot focus on information security compliance but are focused on activelymonitoring their cyber security assets and improving their cyber securityprograms by interacting with external threat intelligence sources tocontinuously apply safeguards on their networks. They continuously improvetheir training programs to enlighten their employees about the latest threatsand how these can impact their systems. Their employees understand theimportance of “data hygiene” and such practices are ingrained in their dailyoperations.
And as Steve Jobswould say, “One Last Thing”
Don’t underestimate the risks from a third party! Thepurchasing company should also check out the third party relations andcontracts that the target company has, especially in terms of the IT operationsthey have subcontracted/outsourced out to both onshore, offshore, or cloud. Also,the access they have granted to their third party personnel or companies, thedata they have shared with them, and the security policies of the third partyas regards to the systems they operate on behalf of the target and the datathey hold with them should be assessed. Small businesses are typically slow inadopting latest IT technologies, so they may not be sophisticated enough inprotecting their cyber assets, leaving them very vulnerable to breaches.
I also have “OneFinal Thing”
As part of the contract, the purchasing company should havean option to bring in experts to run forensics on the targets systems in order tohave an independent assessment of the target’s information resources and toanalyze their logs and identify instances of any breaches. This practice willdefinitely provide maximum confidence to the cyber security risks that thepurchaser is ready to take on with regards to the potential benefits of theM&A decision.
Are you stillprotected…?
Well, this is where I am not sure; try as best as it can toprotect itself from the cyber security risks of the target and taking all steps,including running forensics on the target systems, the purchaser can still notbe 100% safe, because deep inside the targets network, or even the purchaser’s ownnetwork, may be lurking an advanced persistent attack “APT” launched by amotivated and persistent adversary that is waiting for just such an opportunityto launch an attack for political gain, financial gain, revenge, or hacktivism.Timing in cyber security attack is very important like in other aspects oflife, and M&A activity may just provide that opportunity to an adversary.
So, in summary, the purchaser needs to be careful of cyberrelated risks of the targets and follow as stringent measures as they can tounderstand those risks and to accept, reject or transfer them before they makethe deal. However, in the end, it is alla business decision!