The importance of cybersecurity due diligence in M&As

By Alex Hammond | 19 June 2017

Justin Coker, Vice President - EMEA at Skybox Security

It’s boom time for UK mergers and acquisitions — recent M&A activity stats from the ONS showed that the value of domestic M&A reached its highest value since 2008, with foreign M&A also reaching new levels. While this is a cause for celebration across many boardrooms and financial advisory firms, for the CISO and CIO this can cause a major headache.

You’re not just merging bank accounts and people — you’re also bringing hundreds (possibly thousands) of new devices onto the network. New devices all have the potential to bring new cyber risks to your business, and that’s before you’ve looked into other aspects like legacy systems, servers, industry–specific technologies like POS terminals or ATMs, and drastically different IT policies over the years.

Of course, these security concerns are also a major issue for the board, as they can affect the bottom line and possibly the merger itself. When it emerged that almost 500 million Yahoo user details were stolen in a breach that went undetected since 2014, Yahoo’s sale to Verizon Communications came into question. The billion-dollar sale of Yahoo’s core business was still in early stages, and they found themselves in a weaker negotiating position.

You wouldn’t buy a bank that leaves its safes wide open. So why treat cybersecurity differently? To de–risk the cyber aspects of your merger, here are some best practices for the people, processes and technologies involved.

Get the CISO involved from the start

Mergers and acquisitions are high-stress environments, where timing is crucial.

Similarly, from a cybersecurity perspective, you need to get your CISO into the discussions as soon as possible so they can start preparing for the big challenges ahead. They can help educate the board on security, regulatory or compliance issues which may not have been previously considered.

Early involvement of the CISO also helps the entire M&A process flow more smoothly, and avoids last–minute issues which could bring it to a halt. The impact of cybersecurity on this process can often be underestimated, but recent events have shown how some cyber events can have unexpected business impacts.

In the US, cybersecurity firm MedSec used its knowledge of an undisclosed vulnerability in a medical device to short sell the stock of its manufacturer, St. Jude Medical. On August 25, 2016, MedSec’s investment firm released the report on the attack risks to the medical device, resulting in a five–percent drop in St. Jude’s stock. The loss — combined with the revelation of the dangerous device vulnerability — threatened to put the manufacturer’s $25 billion sale to Abbott Laboratories in jeopardy.

You wouldn’t leave it to the last moment to tell your CFO that there’s a merger happening the next day, so don’t leave your security leaders out in the cold.

Get visibility of your network and understand your weaknesses

Don’t underestimate how huge and complicated a risk merging IT systems can be, let alone the vulnerabilities that come along with it. When Lloyds TSB and HBOS merged in 2008, the largest recent merger in UK corporate history, teams needed to understand three networks at once. Initially, the teams on both sides of the merger had to understand their own individual networks as separate entities to plan how they could fit together. These networks spanned 2,000 branches, 75,000 full time staff and millions of customers. Then, the challenge was to understand the third network; the one that would emerge from the combined networks which in the end comprised approximately 200,000 endpoints and would have its own vulnerabilities which may not have been present in the two separate networks.

A final risk to avoid is the possibility that you will unknowingly create a door into your system. This is a period of flux for your organisation, and the companies will be undergoing a rapid transformation which leaves their staff, technology, networks and strategies in a constant state of change. There is a danger you may inadvertently create new threat vectors without knowing it.

Network visibility is the only way to understand the IT puzzle of the merger – you need to have all the pieces and know how they fit together to get a complete picture. This is true whether you’re a financial giant like Lloyds or a small start-up.

Gathering and analysing all the pieces that make up your network would be impossible task manually. Automation can quickly pull together a complete view of your attack surface, and help everyone involved understand risks within each corporate environment you’re trying to bring together.

If you’re thinking, “I’m not planning a merger or acquisition now, so I don’t need to worry about such things,” you should think again.

Old acquisitions made well before cybersecurity was the boardroom priority it is today could still be in your systems with unknown risks and vulnerabilities, providing attackers with the vectors they need. We’ve seen this in practice, where one major bank carried out cybersecurity due diligence and found that vulnerable systems from old acquisition meant that a loophole was there, ready to be exploited. Similarly, if you’re divesting part of your business you have a complex challenges of separating two networks which may be equally difficult – untangling a network without leaving any doors into the system open should be a priority.

Ongoing processes and compliance

EU General Data Protection Regulation (GDPR), the wide–ranging legislation which strengthens data protection in the EU, is coming into force in May 2018, and with it is the requirement to provide documentation that shows a track record of compliance. If you’re bringing other networks into yours, you need to consider how that could impact your compliance with the new regulations. Can demonstrate that you made steps to adhere to relevant regulations as part of the integration process? How you can quickly set up monitoring processes on new networks?

After the merger has taken place, automation can reduce the time it takes to see what’s happening within the newly created environment. Normally there are substantial volumes of change requests during network integration. You want to be able to make changes quickly to keep up with the pace of business, but don’t want to sacrifice security. Automated workflows and proactive risk assessments can significantly reduce change management time and avoid changes that need to be reworked.

Take cybersecurity from the basement to the boardroom

Recent incidents have shown how cybersecurity issues can impact more than just a brand’s reputation. Whatever your role within the process, don’t let security issues derail the positives of your merger. Make sure cybersecurity has a seat at the table, so all stakeholders have the information they need to make M&As an unqualified success.