Davey Winder explores why the merger and acquisition process can be rife with security risks and challenges
The cybersecurity challenges of the merger and acquisition (M&A) business became all too clear at the end of last year when Marriott, one of the biggest hotel chains on the planet, disclosed a security incident. That incident was a breach of the reservations database relating to Starwood hotel properties and impacted as many as 500 million guests. The breach itself dated right back to 2014, and the Starwood group was acquired by Marriott in 2016. The acquisition came complete, it appears, with an unexpected and undiscovered security vulnerability included in the deal.
The convergence of cyber and M&A risk must be taken more seriously if such incidents are to be avoided in the future. Understanding the challenges that M&As present to maintaining a solid security posture is key to preventing the reputational fallout of falling victim to someone else’s security incident.
What Are the Risks?
When it comes to security risks and challenges, just what can go wrong during the M&A process between organizations? Daniel Domberger is a partner and co-leader of the Technology, Media and Telecommunications team at independent M&A advisory firm Livingstone. He points out that there are significant security risks throughout any M&A discussion as an extension of the confidentiality and commercial risks that apply in every deal. Yet, while most companies and entrepreneurs instinctively understand the commercial sensitivity of sharing confidential information, they don’t necessarily think the same way when it comes to security.
“For the sellers, even in the earliest phases of information sharing, you’re potentially exposing the entire business” Domberger warns, continuing “details of all of your locations and summaries of your IT infrastructure provide a comprehensive map of points of entry and points of weakness.”
On top of this, the organization chart and summary biographies of the senior team provide plenty of information for phishing. Then there’s the GDPR implications of sharing data regarding your user base with multiple bidders, for example, that introduce multiple potential points of leakage and dilute your ability to track the source should such a leak occur.
“There are established practices and norms for dealing with confidentiality such as signing non-disclosure agreements, managing the release of information, redacting or holding back more sensitive documents, and so on,” Domberger advises, “but the same norms haven’t yet evolved for security.”
Even where there are information security standards that govern an industry sector, the asset being acquired may have failed in their regulatory compliance obligations. “Any sustained failure to comply also means that the asset’s security processes are unlikely to have been updated over time to adhere to those standards,” Robert Horton, global head of assurance delivery at NCC Group tells Infosecurity. “That puts a parent company at risk of acquiring vulnerabilities that can be exploited by threat actors.” The acquirer could then also become liable for any breaches of the asset’s information later down the line – GDPR rearing its costly head once more. “Risks can be exacerbated when a larger business acquires a smaller entity,” Horton warns, “as these organizations are less likely to have strong governance, and lack the robust security processes adopted by more mature businesses.”
"Even in the earliest phases of information sharing, you’re potentially exposing the entire business"
In the Lap of the Buyer
It’s not just during the exploratory and negotiation stages of the M&A process that the security risk exists; once the deal is done, they are still present but now just fall exclusively into the lap of the buyer. “With the deal announced, you can expect publicity, and that in turn drives hacker interest,” Daniel Domberger warns. This is particularly relevant if you think in terms of not just two companies coming together, but two IT systems as well. “M&A activity is often linked with data breaches, as businesses often find themselves cobbling together makeshift IT solutions out of disparate infrastructures in an attempt to save time and money” says Daniel Kroening, professor of computer science at the University of Oxford. The technical debt, that long term cost of making quick fixes, can quickly spiral out of control at this stage. “This means an increased risk of security incidents occurring, when vulnerabilities are exploited, or unexpected technical errors occur,” Kroening adds.
The IT integration security challenge is driven largely by the all-too-common scenario where the two organizations that are merging have distinctly different security profiles. “This is especially true in situations where businesses don’t get to inspect the information security management systems that are in place until the M&A has been completed,” explains DXC technology general manager for security, Mark Hughes. “That’s because the security team won’t know in advance what they have to deal with.” All of which should leave you no doubt that cybersecurity integration must become a core consideration of the M&A due diligence process. “Otherwise, there’s no way to know what’s hidden under the covers before the organizations merge,” Hughes adds.
"A mature program will be able to point to known cyber and privacy risks"
Cyber Due Diligence
As the Marriott breach so amply demonstrates, cyber really must be treated with the same amount of gravitas as any other source of risk during M&A activity. Otherwise reputational harm and financial penalty, both in extremis, can fall on your head even if the security incident wasn’t instigated ‘on your watch.’ Due diligence cannot be restricted to just financial matters, it must extend beyond strategic compatibility, and when analyzing the target organization’s technological assets, it’s not enough to focus on intellectual property and software licensing issues.
“A mature program will be able to point to known cyber and privacy risks, what is being done about them and an ongoing detection process,” Andrew Scott, assurance regional lead for Scotland at Context Information Security says, adding “no organization in the modern world has no cyber-risks.” Scott compares a business that doesn’t get the need for such cyber due diligence as being akin to buying a car at auction which you know has an engine but without knowing if it runs.
So, what shape should this cyber due diligence take? David Harris (MSc), tutor of Business at Arden University Manchester Campus, suggests a checklist approach should be adopted. At the top of this list Harris places an audit of the potential impact of M&A on both organizational cultures in order to minimize internal risks, followed by a proactive strategy to communicate potential cyber-threats to all staff. “Seek assistance from external IT cybersecurity experts” Harris insists as “they will examine the systems, identify potential external threats and develop a strategy to avoid exposure.”
Rob Clyde is chair of the board of directors at ISACA and agrees that it’s vital to perform strong due diligence of the target company’s proprietary software and IT systems, including applications, websites, databases and security policies.
Here’s his full checklist that acquirers, and in the case of a merger of equals both companies, should perform against the other.
- Identify all proprietary software and perform the following security checks against that software: run static code analysis to check for software vulnerabilities and run dynamic code analysis to look for software vulnerabilities while the code is running. In both cases, ensure that all vulnerabilities that are found are either corrected, mitigated or have a low enough risk that it is acceptable. Tools are available to do this automatically.
- Look for all third-party and open source software that is used and ensure that software is safe and appropriately licensed. The best way to do this is with off the shelf tools that identify third-party software.
- Discover how and where source code is stored. How safe is it from being maliciously altered by non-developers, both employees and non-employees?
- Identify and evaluate the target company’s processes for putting applications, either third-party or in-house, into production. How automated are these processes? Do they use modern DevOps techniques with continuous improvement, continuous delivery and continuous deployment pipelines that automate the entire process? Have security checks been integrated into the process, including static and dynamic code analysis for in-house applications? If code doesn’t pass the security checks, does the build break and prevent the application from being deployed? Can developers and IT personnel easily bypass these checks or build breakers? Are strong automated QA tests included in the process that include checks for security vulnerabilities?
- Check to see if the target company regularly runs both external and internal vulnerability testing tools on their systems and websites. Has the target company provided the latest reports from those tools? For any vulnerabilities found, decide which ones must be fixed prior to the M&A deal closing, which ones must be fixed shortly afterwards, which ones can be mitigated, and which ones have a low enough level of risk to be accepted.
- Run a penetration test against the target company. Perform a risk analysis, mitigation and acceptance for the issues found.
- Review the target company’s security and employment policies to look for any potential areas of concern.
- Use a third party to check to see if the target company already has indications that they may have been subjected to a successful attack or data breach. The third party used should be able to scan the dark web for evidence of a data breach. For instance, perhaps there are some of the target company’s databases, usernames or passwords offered for sale on the dark web.
- Conduct a review of the company’s data assets and understand if they are using appropriate methods and tools to ensure compliance with any applicable regulations like GDPR, PCI, HIPAA, FEDRAMP, etc.
- Purchase, or require the target company to purchase, an appropriate level of cyber insurance.
“Whether staff, consultants or contractors; your security teams need to be an integral part of the acquisition process from the beginning,” Daniel Domberger concludes, “and should stay in place after the merger has taken place to ensure that the company’s data is protected.”