Mergers and acquisitions (M&As) offer firms significant opportunities to achieve fast-paced growth or gain competitive advantage, writes Anurag Kahol, CTO, Bitglass. The benefits on offer are wide-ranging. Everything from pooling resources, to diversifying product and service portfolios, entering new markets, and acquiring new technology or expertise.
Despite the recent global coronavirus pandemic, the enthusiasm of dealmakers appears undiminished.
According to a recent survey, 86 percent of senior M&A decision-makers in a wide variety of sectors expect M&A activity to increase in their region in 2020 – with 50 percent expecting to do more deals if a downturn emerges.
Traditionally, M&A diligence has primarily been focused on finance, legal, business operations, and human resources.
However, swiftly, recognition is growing that cybersecurity due diligence represents another fundamental element of the overall process.
The Cost of Failing to Spot and Address Cyber Risk
The Marriott acquisition of Starwood Hotels & Resorts worldwide underlines the potential impact of a cybersecurity due diligence failure. The 2016 deal, which created one of the world’s largest hotel chains, gave Marriott and Starwood customers access to over 5,500 hotels in 100 countries. However, a failure of due diligence during the M&A process meant that Marriott was unaware that Starwood’s systems had been compromised back in 2014. When Marriott finally uncovered the undetected breach of Starwood’s guest reservations database in November 2018, it found that the personal data of 500 million guests worldwide had been exposed.
The UK Information Commissioner’s Office (ICO) landed Marriott International with a £99 million GDPR penalty fine, noting in its report that Marriott had failed to undertake sufficient due diligence when it bought Starwood and should have done more to secure its systems.
Conducting Cyber Security Due Diligence – Step 1
Cyber diligence should not be reserved for just the largest acquisitions. Today, organisations of every size and scale are increasingly reliant on cloud-based tools, IoT, and digital connectivity services to conduct business, take payments, and enable their operations.
Consequently, this increase in connectivity opens up more opportunities for cybercriminals to launch malicious attacks, steal data, or attempt to disrupt business. So, undertaking a detailed cybersecurity audit and evaluation is critical for revealing any critical weaknesses that could prove a deal-breaker. It will certainly form the basis for bringing the systems of the two organizations together and driving an enhanced security posture going forward.
Undertaking an initial data inventory is the fundamental first step for understanding what data is collected, how and where it is stored, and how long it is kept before being disposed of. This will provide insights on any potential regulations and local/internal laws and obligations that will apply.
Conducting a review of all internal and external cybersecurity assessments and audits will also help to shed a light on the potential weaknesses of a target’s cybersecurity systems and could also prove critical for uncovering any evidence of undisclosed data breaches.
Conducting Cyber Security Due Diligence – Step 2
Having established what data needs protecting, and where it is stored, the next challenge is to understand who has access to the data, what is done with it, and what devices are being used for access. Effective cybersecurity depends on being able to protect any sensitive data within any application, on any device, anywhere.
Without appropriate visibility of all endpoints, devices, and applications – along with rigorous access policies that ensure only authorised users can gain access to sensitive data – it will be difficult to maintain an appropriate security posture.
Undertaking a detailed evaluation of all IT systems and network endpoints in the target enterprise will be vital for enabling the M&A team to identify how to effectively operationalise the entire environment, post-M&A, and put in place a strategy for eliminating any potential cracks in the security foundation that could allow cybercriminals to penetrate.
This will be critical, going forward, for planning how both entities combine and integrate their IT systems and processes. This should include aligning both IT organisations to address risks like insider threats, compliance concerns, and any potential external infiltration risk points that could impact ongoing data management and protection strategies.
Conducting Cyber Security Due Diligence – Step 3
Organisations participating in M&A activities must have full visibility into their own systems as well as those of the companies they are acquiring if they are to give security the attention it needs during a takeover process.
For example, if an unauthorised user with administrative access is making requests for data on a database with customer information, the acquiring firm must address that concern beforehand. This will include reviewing all security-related policies within both organisations and scrutinising target systems and data.
To safeguard the integrity of business-critical systems, the M&A investigative team will also need to lay the foundations for an integration strategy that eliminates any risk of introducing new vulnerabilities as platforms, solutions, and services are brought together. To ensure a safe IT ecosystem, organisations will need to ensure they are able to enforce granular security policies that include data encryption – across all applications, data lakes and beyond – real-time data loss prevention, user access controls and continuous monitoring in place to gain full visibility into both user activity and applications.
Why it Pays to Get the Full Picture
Cyber risk is an ever-prevalent threat for today’s businesses. Conducting detailed cybersecurity due diligence reviews during the M&A process will not only enable an organisation to fully understand the cyber risk potential of a target entity, it will also provide critical insights that are needed on how the security strategies of the two organisations differ. Closing these gaps will be key to ensuring the integration of the two IT organisations can be fast-tracked, without risk.
Every M&A transaction involves complex and detailed due diligence, and ultimately the smoother that the integration processes proceed, the greater the success of the deal. However, combining people, systems, and processes often opens up new risks and new pathways to attack. If organisations are to successfully manage information security in the extended environment, they must first understand all the potential risks and consider security as part of their pre and post-close activities. Ultimately, protecting reputations and the anticipated outcomes of any M&A investment depends on understanding where the potential pitfalls lie.