How to Mitigate Cyber Risk During Mergers & Acquisitions 

Cybersecurity due diligence in M&A can help you appropriately evaluate your potential future subsidiary’s security posture

Mergers and acquisition transactions can be a security minefield for the acquirer, who must quickly integrate the target company's systems and data into its own environment while mitigating the risk of a data breach or other attack.

This risk is very high, with a 2019 Forescout report showing that over half of participants in the M&A activity encounter critical cybersecurity risks in target companies that jeopardize deals.

In 2020, hotel giant Marriott, which was fined $23.8m for failing to update legacy – and previously breached – IT infrastructure used by subsidiary Starwood Hotels, acquired in 2016.

Management consulting company Aon found in 2020 that only 10% of merger transactions involved cybersecurity in the due diligence phase.

Infosecurity has selected some steps a company must take to ensure minimal added cybersecurity risks during an M&A deal.

Ahead of acquiring or merging with another firm, a company should ensure it understands all the potential cybersecurity risks it could be vulnerable to.

This involves performing a risk assessment, including the following:

• Skimming through all IT assets, with a particular focus on new types of devices, networks and protocols that the acquirer may not have been managing in the past
• Conducting a risk profile by considering the size and complexity of the organization and its IT systems, the types of threats that it is most likely to face and by modelling the consequences and outcomes of a potentially successful attack
• Analysing the existing defensive measures
• Determining the results of previous risk assessments
• Auditing the infrastructure to look for apparent vulnerabilities or any ongoing attacks or active breaches

In parallel, the acquirer must identify the target organization's existing compliance responsibilities and measures and look for any deficiencies or oversights.

A few legal questions the acquirer could ask include:

• Who are the target company’s critical vendors and what critical business operations are dependent on vendors
• Is the target organization compliant with existing legislation (GDPR, FTC data breach rules, etc.)?
• Has the company obtained security licenses of any form?
• Will the newly formed company have to comply with new laws?
• Does the target company have any current security certifications or attestations to maintain?

If the merger or acquisition proceeds, it’s time to dig deeper and complete your preliminary risk assessment with a more comprehensive investigation into the target organization’s IT systems and security procedures.

First, the inventory should include assets, access controls and data governance:

• Assets: physical devices (computers, servers…), logical assets (software, operating systems, applications…), managed services (cloud services, data centers…) – don’t forget to note where you find legacy devices and obsolete software
• Access controls: assess the authentication and authorization processes, whether the least privileges approach is implemented
• Data: data flow, data encryption, backups (on-premises, in the cloud…)

Next, you should review the target company’s security measures:

• Endpoint security: antiviruses, EDRs…
• Network security: firewalls, third-party access, segmentation and micro-segmentation
• Patch management: up-to-date patching, automatic patching processes
• Resilience plans: incident response plan, business continuity plan, disaster recovery plan, vendor management program

ADVERTISEMENT

Since an M&A deal sometimes needs to be completed quickly, you may not have time to finish all the steps of your security assessment.

Once the transition is completed, it’s essential to complete this step to address any issues you might have missed before it’s too late.

You can even test potential missed vulnerabilities and shortcomings using offensive cyber programs such as pentesting and bug bounties.

At this stage, aligning your security and data governance between both entities is also critical.

This can involve:

• Migrating IT systems and security measures to manage a more coherent network
• Aligning information security and HR policies and communicating any changes with all employees
• Training employees so they know, understand, and follow policies

Finally, regularly renewing all evaluations – on the infrastructure, the security measures and the workforce – is essential.

Enjoyed this article? Make sure to share it!

Looking for something else?