While 2020 has seen a slow-down in mergers and acquisitions (“M&A”), a recent survey of 1,000 U.S. corporate M&A executives and private equity firm professionals, a clear majority expect M&A activity to return to pre-COVID-19 levels within the next 12 months.
The real news however is the extent to which M&A is increasingly including careful consideration of cyber risks.
According to Deborah Golden, Deloitte Risk & Financial Advisory, cyber and strategic risk leader, Deloitte & Touche LLP, “CISOs (corporate information security officers) understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”
80% of global firms surveyed surveyed reported an increase in cyber attacks this year. Coronavirus is associated with a 238% rise in cyber attacks on banks. Phishing attacks have seen a dramatic increase of 600% since the end of February
It is not surprising considering the tsunami of threats and attacks this year alone. Consider that in just the last six months;
- The recent NAS announcement of the Top 10 Chinese cyber targets
- Remote workers exacerbating increasing the attack surface
- At the same time, the latency and limited scope of CVSS scores from the National Vulnerability Database represents additional risk in a faster pace threat environment.
Hidden Threats to Valuation
As companies, advisors and banks consider their M&A roadmap, an assessment of a target company’s cyber risk profile is now a business-critical element of the due diligence and valuation process. In addition, senior managers and organizational consultants will need to increasingly consider how to bring two different IT Security shops together and establish a baseline approach to policies and procedures.
“From a growing attack surface and the increased use of open source software to legacy organizational vulnerability deficits and labor-intensive, manual remediation management, it is challenging to scale up an IT security organization in the face of today’s cyber threat environment, said Mark Fidel, RiskSense Cofounder. It really is all about understanding each companies Vulnerability Risk Rating as well as asses- sing each company’s IT Security policies and procedures.”
Golden, of Deloitte Risk & Financial Advisory. advises that “When it comes to cyber in an M&A world—it’s important to develop cyber threat profiles of prospective targets and portfolio companies to determine the risks each present.”
Acquiring a Compromised Asset
Brandon Hoffman, CISO, Netenrich recently published an article “Cybersecurity Risk Factors, M&As in the Age of COVID-19” that focuses on the business-critical importance of understanding a company’s assets in the age of accelerating cloud adoption and the remote workforce.
In addition to a more thorough assessment of the cyber risk of a potential acquisition or merger partner for legal and financial considerations, there is an organizational imperative for the parent company to carefully assess the potential risks to the parent’s current cyber security and risk management programs. Trying to manage the pa- rent company’s cyber security programs while “inheriting” a new one with significant issues and risks can serve to compound risk. One of the emerging risks in acquiring companies is the extent to which the acquired company represents a new attack vector for the parent organization.
“No matter how strong your IT Security policies and procedures and the maturity of your cyber risk management programs, if your company acquires another company that has or is at significant risk of breach due to any number of reasons, you just paid for bigger problems, said Mark Ramsey, former CISO of a major global precision manufacturing company and Director of the Cyber Security Program at Fairfield University. Trying to play catch up and accelerate the improvements of a new IT security program while dealing with your parent company’s growing attack surface and increasing scale, scope and sophistication of attacks can be daunting.”
Prior to COVID if you ask any CISO they will tell you their biggest fear is not knowing what is on their network. Mergers and Acquisitions provide the biggest risk because from the business standpoint of a financial transaction the goal is to add the new corporate assets as quickly as possible. In today’s remote worker world this means a higher likelihood of introducing an acquired company whose infrastructure may not have the same remote access rigors that the acquiring company has. The bottom line is that you may have exposed your company to increased risk from external users who are now inside threats
Aligning IT Security Programs
OK, so you have concluded additional focus and expertise is needed to more fully address potential cyber risks in your M&A plans. But how do you actually perform and assessment given the often large scale and scope of a company’s attack surface, different IT security tools and programs and the inherent friction of two different IT security teams viewing things differently?
Earlier this year, when Gus Fritschie, vice president of security services for Bulletproof Solutions Inc., assisted two major publicly traded companies in a pre-merger cyber security risk assessment. He had to address several business-critical considerations; how to quickly and effectively manage a large sample size of recent scan data from across each organization and then apply a vulnerability risk assessment methodology that would be objective, substantive and instructive from an organizational perspective.
“These two companies represented large attack surfaces, had different enterprise scales and the maturity of their information security practice and processes were variables that had to be considered. They also needed an assessment approach that was reasonably fast to implement, straight forward to understand and then actionable for the information security teams that would be combining post-merger,” said Fritschie. “We needed an innovative approach to managing and organizing tens of thousands of scan data files across multiple sites and get to some bottom-line findings quickly. We also had to find a way to effectively communicate the assessed risks in a way that brought the two IT security shops together on the same page.”
In order to speed the assessment and communicate the results in a way both organizations would be on the same page Fritschie brought in the vulnerability risk experts from RiskSense to utilize their nationally recognized platform and automated prioritization engine. Working with each of the of the merger partners’ IT Security teams, Fritschie and Glen Bradly, RiskSense senior solutions engineer. ingested recent vulnerability scans performed by the target organizations from over 70,000 IT assets from each company.
Using the RiskSense platform’s flexible capabilities for grouping and filtering, and applying their unique Vulnerability Risk Rating (known as the “RS3” score) the merger partners received de- tailed reports customized for their respective organizations, while also having access to the RiskSense dashboards for detail, including links to recent threat intelligence and remediation recommendations. At the same time, Fritschie performed an audit and assessment of each organizations’ IT Security policies and procedures.
“With the fast-paced schedule and a diverse group of stakeholders in each organization, using the RiskSense platform was invaluable not only for the speed to value and the objective, data driven scoring methodology but also for the way it helped two different IT Security teams align together,” Fritschie said. “Being able to access the RiskSense dashboard, collaborate with Bulletproof and RiskSense experts and drill into the details was really important and valuable for both merger partners.”
The fact is that even before COVID 19 all organizations were facing a Ransomware epidemic and a rapid escalation of the scale, scope and sophistication of cyber threats. Today, leading cyber security organizations are stressing a more proactive and preventative approach.
For example, Gartner Top CISO projects for 2020 – 2021 include; “Remote workforce security… with zero trust network access” and “Risk-based vulnerability management including bringing in additional information in the form of threat intelligence, attacker activity reports and internal asset reports to help organizations better identify which flaws to fix first.”
When considering mergers and acquisitions, the urgency of making cyber risk management a key priority is clear. In addition to considering leading vulnerability solutions like RiskSense and zero trust innovators like NetFoundry, it is business-critical to align business and cyber security considerations and objectives.
Jim Watts, client service delivery lead for Cyber Risk Management Group, has supported key IT projects at major companies such as Home Depot, AT&T and Fiserv. Over his 30 years of experience in technology and IT Project Management, and most recently supporting the implementation of best-practice based cyber risk management programs, Watts stresses the importance of aligning technology, and business objectives.
“Having technology and business alignment managed through a governance process in a post-merger organization is a key success, said Jim. By leveraging a comprehensive “Process Governance” leaders can ensure alignment between technology and the business is in place, and key measurement cyber risk management indicators can be used to measure progress toward goals and keep work efforts on track.”
When it comes to the financial, business and liability implications of cyber attacks, cyber risk for mergers and acquisition represent a key area for improvement.
It was once said that “The second kick of the mule should not be educational.”