You have done the mandatory audit of cybersecurity in mergers and acquisitions. Are you still legally liable for the cybersecurity issues of the company you just acquired?
Well, there are no legal liabilities exactly, but according to an advisory prepared by global consultancy service Deloitte, the onus is usually on the acquirer.
“The acquiring company must determine the cybersecurity posture of the target company to mitigate the risk of a data breach,” read the section on data security. The same goes for dormant threats such as IT and OT vulnerabilities.
“Senior leadership must be vigilant in identifying dormant threats in the acquired infrastructure and implement effective mechanisms for mitigating them. Vulnerabilities must be found in advance to reduce the attack surface before they can harm the acquiring company.”
Cybersecurity in mergers and acquisitions (M&A) can be quite tricky, especially when it comes to vulnerabilities and breaches arising out of non-compatible systems and policies.
M&A risks rarely feature in cybersecurity news but it’s a fact that many incidents can be traced back to improper M&A cybersecurity audit and follow-up.
The Cyber Express here takes a conversational approach to explore the costs of poor M&A security and the risks associated with post-merger cybersecurity in order to provide practical steps to mitigate these risks of cybersecurity in mergers and acquisitions and ensure the security of all parties involved.
The cost of poor cybersecurity in mergers and acquisitions
You have acquired a company, but their cybersecurity measures are far from ideal.
It’s not just about potential data breaches; there’s more at stake. Intellectual property theft and compromised trade secrets can have long-lasting consequences.
Hackers are notorious for sneaking into networks and remaining undetected for months on end, stealing valuable information about business strategies and sensitive data about personnel.
These breaches can seriously affect the valuation of the acquired company and may result in penalties and lawsuits from unhappy shareholders. So, it’s crucial for acquiring companies to take these risks seriously and implement effective security measures.
Cybersecurity in mergers and acquisitions: Pre-merger measures
“While the discovery of cyber threats and even actual data breaches can harm an merger and acquisition deal, they don’t often lead to outright termination,” said a blog post on Pre-M&A Security Assessments by SecurityTrails.
“More commonly, they cause delays and add costs, usually due to compliance violations. Yet that can affect the entire outcome of the deal, including the value the acquirer places on the target company.”
Before merging IT systems and networks, there are a few key steps that acquiring companies should take to assess and mitigate cyber risks. Let’s break it down:
Firstly, you need to identify the specific cyber risks faced by the target company. Consider factors like the industry it operates in, its geographical location, partners, products, and services. Understanding these risks is essential for developing a solid cybersecurity plan.
Next up, dive into the network and system architectures of the acquired company. Look for any known vulnerabilities in hardware and software.
Take note of the IT and operational technology (OT) assets, patching schedules, digital asset management practices, cloud services, mobile policies, application vulnerabilities, and data flows. The more you know, the better prepared you’ll be.
Now, let’s talk data handling. Review how the acquired company handles customer data. Take a close look at their data privacy and security controls. How do they store, use, and dispose of customer data? Also, be sure to review any contractual obligations the acquired company may have regarding data with other companies. Don’t overlook the fine print!
It’s also crucial to review the acquired company’s security program. Ensure that it meets regulatory requirements and current industry standards. You want to be certain that their security measures align with best practices in the industry.
Last but not least, investigate any past security issues. Look into any charges, complaints, or litigation related to fraud, extortion, ransom, or other cybersecurity incidents. It’s essential to have a clear understanding of any potential red flags.
Cybersecurity in mergers and acquisitions: Conducting security assessment
Once you are done with the pre-merger measures, it’s time to conduct a comprehensive security assessment of the acquired company. Here’s what you need to do:
Start by reviewing the organizational policies of the acquired company. Take a deep dive into their information security policy, terms of use agreements, acceptable use policy, and data classification policy. These policies lay the foundation for a robust security framework.
Next, consider any previous security audits, assessments, vulnerability scans, or penetration tests that have been conducted. These insights will be valuable when formulating incident response plans and playbooks for the merged entity.
Implementing network segmentation is a crucial step. By establishing network segmentation and policies, you can enhance security and facilitate the integration of the acquisition. It’s a win-win situation!
As you assess the acquired company’s risk strategy, pay special attention to the state of IoT security. The Internet of Things (IoT) devices can be a potential entry point for cyber threats. So, make sure you’ve got that covered.
Post-assessment measures
Start by mapping the available systems and processes according to the Deming PDCA Cycle or a similar framework.
Gartner defines Deming PDCA Cycle as the continuous improvement model of “Plan, Do, Check, Act.” “It is often represented as the four quadrants of the rim of a circle to reflect the fact that once all four elements have been accomplished, the cycle repeats.”
Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
If the acquired company lacks technological maturity, consider bringing in a third party to conduct an independent security audit. Let them perform vulnerability scans, penetration tests, and custom methods to assess the acquired company’s security posture.
Never forget to evaluate the IT security personnel of the acquired company. Use security questionnaires and interviews to get a sense of their expertise and skills. This will help you distinguish between rockstar employees and potential weak links.
Post-merger risk management considerations
After the mandatory actions come the voluntary but extremely important steps: the post-merger risk management measures. Even after completing the merger, there are a few ongoing risk management considerations to keep in mind.
During and post-merger, implement granular controls for identity and access management (IAM). Harden perimeter security, keep an eye on audit logs, and revise security processes and cybersecurity training. Stay vigilant!
Investing in automated risk management services can be a game-changer. These services provide guidance and support for automating multiple risk management programs with a centralized IT governance, risk, and compliance (GRC) platform.
Lastly, never underestimate the importance of maintaining a strong security posture. Failure to address cybersecurity risks during M&A activity can lead to a damaged reputation and devaluation of the company.
So, keep consulting your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist, and incident response playbooks whenever in doubt.
Cybersecurity in mergers and acquisitions: The 10-step checklist
Navigating post-merger cybersecurity challenges is crucial for a successful merger or acquisition. Failing to assess the cybersecurity posture of the acquired company can lead to data breaches, intellectual property theft, and potential penalties.
To mitigate these risks, acquiring companies should conduct pre-merger security measures, including identifying cyber risks, reviewing network architectures and data handling practices, and evaluating the acquired company’s security program. Here is a ten-step checklist for you to get it right.
1. Conduct comprehensive cybersecurity assessments of the target company to ensure security due diligence. Evaluate their existing security policies, practices, infrastructure, and systems. Identify potential vulnerabilities, weaknesses, and any history of security incidents or breaches.
Conducting a comprehensive cybersecurity assessment of the target company during a merger or acquisition involves defining the scope, gathering information, evaluating network and system architecture and assessing data handling practices.
Review security policies and procedures, assess incident response capabilities, perform vulnerability assessments and penetration testing, evaluate security awareness and training programs, and engage external expertise if needed.
Lastly, document findings and recommendations, and communicate and collaborate with stakeholders.
2. Verify if the target company complies with relevant data privacy regulations such as GDPR or CCPA. Assess their data protection practices, data handling procedures, and adherence to industry-specific regulations.
Verifying if the target company complies with data privacy regulations like GDPR or CCPA involves several key steps. Firstly, review the target company’s privacy policies and documentation to identify explicit statements of compliance with the relevant regulations.
Assess their data collection and processing practices, ensuring proper consent, transparency, and individual control over personal data. Evaluate data security measures, vendor compliance, and incident response procedures.
Additionally, consider the appointment of a Data Protection Officer (DPO) and seek legal advice if needed. By conducting a comprehensive assessment, you can determine if the target company meets the requirements of data privacy regulations.
3. Evaluate the cybersecurity awareness and culture within the target organization. Assess their employee training programs, security awareness initiatives, and incident response readiness to promote a strong cybersecurity culture.
To evaluate the cybersecurity awareness and culture within the target organization, follow these key steps. Firstly, review their training programs to assess the content and effectiveness of cybersecurity training provided to employees.
Evaluate employee knowledge through surveys or interviews to gauge their understanding of cybersecurity practices.
Additionally, assess incident reporting processes, security policies, and procedures to determine if they are comprehensive and well-communicated. Consider the presence of security awareness initiatives and evaluate incident response preparedness.
Lastly, observe employee behaviors and practices related to cybersecurity and seek feedback from IT and security teams. By conducting this evaluation, you can identify strengths, weaknesses, and areas for improvement in the target organization’s cybersecurity awareness and culture.
4. Assess the target company’s incident response plan and capabilities, including their ability to detect, respond to, and recover from security incidents. Verify the presence of a dedicated incident response team, well-defined processes, and effective communication channels for incident reporting.
Thoroughly review their incident response plan to ensure it is comprehensive and up to date. Evaluate their detection capabilities by assessing their monitoring systems and tools for real-time alerting and threat intelligence.
Examine their response procedures, including incident triage, evidence preservation, and predefined actions based on incident severity. Assess their ability to contain and eradicate incidents, including system isolation and restoration processes.
Additionally, evaluate their incident recovery capabilities, such as system restoration and backup testing. Consider their approach to post-incident analysis and lessons learned, including root cause analysis and corrective actions.
Finally, testing their readiness through tabletop exercises or simulated scenarios can provide valuable insights into their incident response effectiveness.
5. Evaluate the target company’s IT infrastructure, network architecture, and security controls. Identify potential vulnerabilities, misconfigurations, or outdated systems that could pose risks. Assess the effectiveness of their network security controls, such as firewalls, intrusion detection/prevention systems, and secure remote access mechanisms.
Assess the network architecture to identify any design flaws or vulnerabilities that could lead to unauthorized access. Next, evaluate the security controls in place, such as firewalls and access controls, to ensure they are properly configured and up to date.
Additionally, review the patching and update processes to identify any weaknesses that may leave systems exposed to known vulnerabilities. Identify outdated systems or software that may lack necessary security updates and assess the risks associated with them.
Analyze the configuration management practices to ensure proper baseline configurations and version control. Conduct vulnerability assessments or penetration testing to uncover potential weaknesses in the systems and networks.
Consider any third-party security assessments or audits conducted on the target company’s infrastructure to gain further insights into potential risks and areas requiring attention.
6. Determine if the target company has partnerships with external vendors or service providers that access your organization’s systems or data. Assess the security controls and contracts in place with these third parties to ensure compliance with your organization’s standards.
You can start by reviewing documentation and contracts to understand the nature of their relationships.
Assess the target company’s vendor management practices and look for evidence of due diligence and ongoing oversight. Identify critical systems or data that may be shared with external vendors and conduct assessments to evaluate their security posture.
Request security documentation from the target company and review their incident response procedures to ensure they include provisions for handling security incidents involving vendors.
Consider regulatory compliance requirements, such as GDPR or CCPA, and assess if the target company has measures in place to comply when sharing data with external partners.
By following these steps, you can identify potential risks and ensure appropriate controls are in place to protect your organization’s systems and data.
7. Identify and assess the target company’s intellectual property (IP) protection measures. Evaluate the confidentiality and safeguarding of their IP assets, including patents, copyrights, trade secrets, and proprietary technologies.
Begin by identifying the types of IP the company possesses and understanding their value. Review documentation such as patents, trademarks, and licensing agreements to gain insights into their approach to IP protection.
Evaluate their security policies, procedures, and IT measures related to IP protection, including access controls, encryption, and data storage security.
Analyze employee awareness and confidentiality practices to ensure they understand the importance of protecting IP.
Consider legal protections in place, such as registered patents or ongoing litigation related to IP infringement. Engage IP professionals for specialized expertise in assessing the target company’s IP portfolio and associated protection measures.
This assessment helps you gauge the level of security and safeguards for IP assets, identify potential risks, and determine the effectiveness of their IP protection strategies.
8. Evaluate the target company’s security governance framework, including the presence of a dedicated security team, security policies, and procedures. Assess their risk management practices, security incident reporting mechanisms, and overall security program maturity.
Firstly, assess the presence and capabilities of their dedicated security team, examining their expertise and roles within the organization.
Review the target company’s security policies and procedures to ensure they address essential areas such as access control, data protection, and incident response. Evaluate the effectiveness of their security awareness programs in promoting a strong security culture.
Additionally, consider their compliance with industry regulations and standards, as well as their incident response capabilities and governance structure.
9. Identify potential cybersecurity challenges and complexities that may arise during the integration process. Ensure that both organizations have a plan to align security practices, technology stacks, and policies while minimizing disruptions to ongoing operations.
Conducting a thorough assessment of the IT infrastructure, security policies, regulatory compliance, cultural differences, third-party relationships, and vulnerability testing are essential steps.
Evaluate the compatibility of IT systems and architectures between the acquiring and acquired companies to identify any potential gaps or security risks. Review and compare the security policies and procedures of both entities to uncover any inconsistencies or vulnerabilities that may arise during integration.
Consider regulatory compliance requirements and anticipate challenges in aligning frameworks and standards.
Assess cultural and operational differences that may affect cybersecurity practices and risk management, and evaluate the impact on employee awareness and acceptance of security measures.
Additionally, examine third-party relationships to identify potential risks associated with vendors or service providers. Conduct vulnerability assessments and penetration testing to uncover any weaknesses or vulnerabilities that could be exploited during the integration process.
10. Understand the target company’s cybersecurity liability exposure, including any pending litigation or regulatory actions. Assess their cybersecurity insurance coverage and its alignment with your organization’s risk appetite.
Reviewing the target company’s legal and regulatory compliance to ensure adherence to cybersecurity laws, data privacy requirements, and industry standards is the first step. This helps identify potential liability risks and ensures compliance with legal obligations.
Next, investigate the target company’s incident history to understand past cybersecurity breaches and assess their incident response effectiveness. Analyze the severity and impact of these incidents, considering the potential legal and financial consequences.
Conduct due diligence on any pending litigation or regulatory actions related to cybersecurity or data breaches involving the target company. This involves reviewing legal filings, public records, and regulatory databases to assess potential liabilities.
Seek guidance from legal experts specializing in cybersecurity to accurately assess liability exposure, review contractual agreements, and evaluate insurance coverage. By engaging legal experts and conducting a thorough review, you can mitigate cybersecurity liabilities during the merger or acquisition process.
By prioritizing these cybersecurity considerations during M&A activities, informed decisions can be made, risks can be mitigated, and the security of your organization’s assets, data, and systems can be ensured throughout the integration process.
