Following the discovery of two data breaches affecting more than 1 billion Yahoo Inc. users, Verizon Communications Inc. shaved $350 million off its original offer to acquire the company in 2017. The deal also included a liability sharing agreement, according to Reuters.
With companies’ reputations and futures becoming more inherently tied to their cybersecurity efforts, Security magazine connected with Kevin Richards, managing director of North American Security and global lead for Security Strategy and Risk at Accenture, to discuss the outcomes of negligent cybersecurity oversight during mergers and acquisitions, including unforeseen and costly integrations, unexpected liability and higher overall enterprise risks.
SECURITY: What are some of the potential risks an enterprise takes on if it neglects to include cybersecurity in its M&A vetting period?
Richards: If we consider the impact of recent, high-profile security breaches, companies have faced hundreds of millions of dollars in direct losses, material negative impact to their brand reputation and corresponding erosion to customer loyalty and trust. A rushed or limited cybersecurity vetting process may miss exposures or key indicators of existing or prior breach.
That is why it is critical to understand cybersecurity vulnerabilities, the damage that may occur in the event of a breach, and the effectiveness of the infrastructure that the target business has in place. An appropriate evaluation of these areas could significantly impact the value that the acquirer places on the target company and how the deal is structured. It is therefore imperative to perform a variety of risks and security assessments on the to-be-acquired entity.
SECURITY: What sort of vulnerabilities or challenges should enterprises specifically look for when reviewing cybersecurity in a potential acquisition?
Richards: No organization is immune from cyberattacks, and virtually all have been breached at some point. In this cyber threat landscape, the focus on cybersecurity will continue to intensify in the negotiation phase of M&A transactions for companies of all sizes. Myriad exposures can be often overlooked in a common due diligence exercise. These can include the following:
- Undisclosed or under-reported prior data breaches
- Unknown, unassessed or under-assessed third-party relationships
- Active, yet unidentified malware infiltration of the current enterprise
- Unknown disclosure of intellectual property or trade secrets
- Differing technical capabilities between the organizations which could lead to unexpected integration costs, increased technology training and support costs, and/or technologically “weak” spots in the cybersecurity protection capabilities
SECURITY: How does this impact an enterprise’s liability?
Richards: When a buyer is acquiring a company, they are gaining all of the seller’s data or digital assets such as customer data and business plans. They are also, unless specifically excluded, inheriting third-party relationships with service level expectations, customer privacy covenants and regulatory compliance requirements.
Each of these could carry financial and reputation exposures.
SECURITY: Do these threats extend to supply chain cybersecurity risk management?
Richards: Organizations should look at the supply chain of acquisition targets with the same lens that they should look at themselves. With the rise of cloud computing and strategic outsourced relationships, growing portions of critical business functions are being provided by third-parties. Companies should stress-test their own security and should expect and require their suppliers to do the same – move beyond simple vulnerability scanning and truly pressure test their cybersecurity capabilities with Adversary Simulation (Red Team) as well as invest in emerging security technologies to outmaneuver their attackers.
SECURITY: What steps should companies take to complete due diligence when researching an M&A option?
Richards: As part of M&A due diligence, cybersecurity has been traditionally under emphasized – focusing more on the technical and tactical implementation of connecting the merging organization’s infrastructures and a review of recent security audit reports
There are a few foundational steps that can be taken to better inform business leaders:
- Allow more time to perform cybersecurity activities within the due diligence exercise.
- Perform an independent cybersecurity assessment and penetration test of the target environment to better understand its current capabilities.
- Review the inventory of the cybersecurity products and technologies to understand organizational technology differences and to inform the integration budget process and “Day 1” activities.
- Review the third-party relationship inventory, data sharing agreements and corresponding risk assessments.
- Perform a “Dark Web” style investigation to determine if key assets, intellectual property involved in the acquisition, user information or key credentials are already inadvertently disclosed. Also, use this effort to attempt to identify potential infiltration to the target enterprise (for example, botnets).
- Research breach databases for recent disclosures.
- If applicable, review past breaches with an emphasis on remediation activity progress, as well as reviewing any ongoing obligations to any affected parties.
SECURITY: With whom should a security executive work, internally or externally, to get a better picture of the other company?
Richards: With respect to attempting to assess the financial risk of an acquisition or merger, there are a number of base metrics that have historically been used to help model the potential return on investment (ROI) and overall financial risk. Unfortunately, with regard to technology and cyber risk, there has been no standard framework or approach.
In a recent Accenture research study conducted among 2,000 security executives across 12 industries and 15 countries, 70% of the respondents agreed that "cybersecurity at our organization is a board-level concern and supported by our highest-level executives."
The CEO and corporate board of director members need to better understand this emerging risk area. With proper engagement, CISOs can provide a significant benefit to the overall M&A due diligence process by helping characterize cyber risk within a transaction.