We live in a 21st century economy whose greatest asset is data. Acquiring large amounts of data from intellectual property to customer preferences is the opportunity presented by merger and acquisitions these days. At the same time, data’s importance means that managing cybersecurity risk on deals is now a critical concern for dealmakers. What would the impact have been to your organization had you acquired Colonial Pipeline a few months prior to the devastating ransomware attack that shut down their pipeline? How do we engage in a better process of cybersecurity due diligence on a deal?
My wife and daughters love to bake. It inspired me to think of cybersecurity M&A due diligence as a three-layer chocolate cake. Those three layers are:
(1) Ask the right cybersecurity questions in due diligence;
(2) Your purchase agreement covers the gap; and
(3) Suppress your urge to quickly integrate the seller’s data and network.
The first layer of our cake is asking the right cybersecurity questions. You should consider starting with the following three questions to the seller:
a) Can you show me a schematic of your entire network and how data flows through it?
b) How do cybersecurity issues get reported to the c-suite?
c) Do you have a written information security plan?
The network schematic is important because you want to know what assets are or are not on the seller’s network. How does data flow through the network as it can show up in unexpected and vulnerable places like an employee’s home computer? If you learn that cybersecurity issues are supposed to report to the c-suite through IT, you should expect that security takes a back seat to expedient IT. During the pandemic when companies quickly pivoted to a remote workforce getting employees working remotely quickly far outweighed installing multi factor authentication. Lastly, if a company has no written information security plan, you can expect they have not given security much thought. You will also want to interview the c-suite as well as in people in charge of IT. Why? Many times, you will find what the c-suite thinks around security is very different than those responsible for the network and the data. It should not surprise you that many companies are 0 for 3 on these questions. I have also seen instances where companies do acquisitions without understanding the IT network, they bought is from 2003. Unlike fine wine older networks do not get better with time. Instead, they become more and more vulnerable to cyber-attacks.
The second layer of our cake is the asset purchase agreement. In most instances, when a buyer requests access to the seller’s network during the deal the answer will not be “No” it will be “Hell No”. How do you bridge this knowledge gap? Enter the purchase agreement. You may want to consider adding some additional representations and warranties that seller makes about its cybersecurity hygiene. One is that the network is not older than 3-5 years old. Why? I have handled ransomware engagements where the networks were 11-17 years old. It meant that revising encoded passwords or interfacing with such systems was impossible since those networks were simply too old to integrate with modern software. Another representation and warranty is that the seller uses multi factor authentication for its key employees who access critical systems. Multi factor authentication to access the network is the number one thing a company can do to enhance its cybersecurity hygiene. If the seller wants to strike these clauses it opens up the conversation as to why. The other thing you need to consider is that the average time a threat actor is in a network is around 270 days before engaging in their mayhem. That means the period between a deal closing and a data breach can easily be over a year. That means the asset purchase agreement should address this lag between closing and when the data breach might occur.
The last layer of the cake and along with the icing is post deal integration. This is the last line of your M&A cyber risk management strategy. The key is to resist your urge to immediate integrate the seller’s network and data with your network. As noted, it’s unlikely that you were able to gain access to the network and data during diligence. Now that you own these assets you can send in your security team to find any unidentified security issues BEFORE you integrate these assets. Consider a hotel company acquires a top competitor who had an unidentified intrusion into their reservation system. That is bad but the story gets worse. When the deal closed the threat actor used the initial intrusion into acquired company’s network to move across buyer’s network. How? The integration of both networks reservation system without detecting the initial intrusion. The result was the merged company had a data breach!
We now live in a digital world that relentlessly pursues efficiency. Managing cybersecurity risk properly usually undermines efficiency. A post acquisition ransomware or data breach can cost a company more than the price it paid for the target company. Many times, it is only in a ransomware event’s aftermath where an organization begins to reassess how it balances efficiency and cyber risk to do it differently. In the M&A context, you have a much better chance of enjoying dessert and avoiding an upset stomach if you follow the three-layer cake of cybersecurity due diligence.