Cybersecurity no longer merger afterthought

As little as four years ago, only about a third of companies considered cybersecurity when planning a merger. Today, that percentage has flipped.

“When you look at mergers where one big company buys another big company, I’d estimate that the cybersecurity teams do get involved about 60 percent of the time prior to the acquisition being executed,” said John Pescatore, director of emerging trends at SANS Institute.

A number of high-profile breaches have alerted corporate executives to the potential risks of data breaches.

Last year, for example, attackers hit Pacnet, an Asian telecom provider, two weeks before Telstra bought it for nearly $700 million — but Telstra didn’t learn about the breach until the deal was closed.

In 2014, TripAdvisor learned shortly after its $200 million acquisition of travel site Viator that attackers had stolen information on 1.4 million customers. It found out about the problem not as a result of its own investigations, but when its payment card service started noting unauthorized charges on customer credit cards.

“It’s absolutely a risk that people are talking about,” said Stephen Boyer, CTO and co-founder at security vendor BitSight Technologies

In fact, unless a breach involved personally identifiable information, a company may not have had to report it at all.

It “would be nuts” to rely just on public reports, Pescatore said.

“They send audit teams in for finance, and they should send audit teams in for security as well,” he said.

David Barton, CISO at security vendor Forcepoint

One common mistake with a merger is to handle the cybersecurity via a checklist, said JB Rambaud, managing director at risk management consulting firm Stroz Friedberg, LLC.

“People are starting to realize that a checklist process is not working,” he said. “If I ask you, is this encrypted, is this segmented, you may answer that yes it is encrypted, yes it is segmented — but the segmentation has seven different layers. It’s very difficult to simplify the process and create the form and get it right.”

The due diligence team needs to have the expertise to be able to delve into the small details, he added. “This is too material to be skipped over.”

Address risks early

If the pre-merger investigation uncovers significant risks, they should be addressed right away.

“If you have identified risks during the due diligence, you need to mitigate that, so when you connect your networks that risk is gone,” said David Barton, CISO at security vendor Forcepoint. Forcepoint is the product of a recent merger between Raytheon and Websense.

Otherwise, by connecting two corporate networks, the entire combined company is now vulnerable to that new risk. In addition, the merger itself may create new opportunities for attackers.

“Every time you’ve got a mismatch in technology and methodologies in terms of mitigating risk, you have an opportunity for failure,” he said. “The problem with cybersecurity is if you miss a little detail, it could turn into something huge. It’s incumbent on you to make sure you don’t miss those things.”

And if the investigation process uncovers an ongoing breach, the merger needs to be paused, said JB Rambaud, managing director at Stroz Friedberg.

“You work with the incident response team and work with external counsel to understand the extent of the breach, and mitigate the extent of the risk first, patch the holes,” he said said. “And if everyone understands how much it will cost to mitigate that risk completely, then you can include it as part of the cost of the M&A.”

BitSight’s Boyer said he hasn’t heard of a case in which a cybersecurity audit resulted in a merger being called off.

“But the cybersecurity posture can definitely impact a deal and how much a company is willing to pay for a deal,” he said.

Prepare for increased phishing and other attacks

In the lead-up to a merger as well as during and immediately afterwards, employees will expect to get questions and communications from people they don’t know, including auditors, consultants, and employees at the other company.

Privileged users in particular should expect to get targeted, sophisticated attacks, said Pescatore.

This is also an opportunity to check if both companies have phishing education programs in place, and to address any shortcomings of the weaker program.

Attackers could also go after third-party targets, said Chris Coleman, CEO at LookingGlass Cyber Solutions. Those include legal firms working on the acquisition, other vendors involved in the process, and even cloud-based service providers.

“I’ve witnessed a lot of situations where adversaries were actually targeting law firms to get M&A information,” said Coleman, whose company did three acquisitions last year.

Review existing contracts for cybersecurity issues

A merger and acquisition could also be an opportunity for both companies to renegotiate existing vendor contracts to include better cybersecurity provisions, Coleman added.

“It does open the door,” he said.

For example, it’s not enough to have a single, initial security audit — customers need to be able to review security of their vendors, and their vendors’ vendors, on an ongoing basis, and contracts need to reflect that.

One specific type of vendor contract that will almost definitely be affected as a result of a merger or acquisition is a company’s cybersecurity policy, which will now need to cover a larger operation, and possibly a larger and more diverse set of risks.

Odds are that the cybersecurity insurance policies at the two merging companies are not the same. In fact, some companies don’t have any cyberinsurance in place at all, said SANS Institute’s Pescatore.

Plus, in some cybersecurity policies — as with other types of insurance — preexisting conditions are excluded, and pre-merger due diligence becomes even more critical.

“So, in an acquisition, you have to get your legal people to review the terms of the policies,” said Pescatore.

Questions to ask

What is at risk and how is it protected?

The company being acquired probably has at least some sensitive data, such as employee records and customer data, said Rambaud.

“If you are purchasing a healthcare organization, you might have health records, or some secret sauce intellectual property,” he said.

Then, look at the controls around the information, whether the organization is protecting correctly.

“But also look at the governance, culture and operations, not just the technology,” he said. “People look at the technology stack — you’ve got the antivirus, the firewall, intrusion detection — but the fact that you have the stuff doesn’t mean that you use the stuff well, and understand the environment in which those things are evolving.”

Have people in sensitive positions had background checks?

“If I’m buying a company and that company did not do background investigations on people with administrative privileges, that should be considered a risk,” said Pescatore.

During a merger, and especially during a hostile takeover, employees may be under a lot more stress than normal.

“If people at the acquired company are fired or laid off, then they may leave code bombs that may go off later,” said Pescatore.

If there’s tension, a more rigorous cybersecurity inspection may be necessary.

Is there sensitive information floating around the Internet or the Dark Web that could indicate that the company has been compromised, or continues to be compromised?

“That could be problematic, and could change the valuation,” said Coleman. “And it could impact not just the valuation of the business, but could compromise the underlying reason why you’re buying that business.”

Similarly, the digital footprint of the management team should be investigated to check to see whether they have been exposed.