April 2, 2019 Bob Hayes

M&A Cybersecurity

Articles appear almost daily detailing yet another significant merger or acquisition, a trend common across sectors and geographies. Also growing are the number of de-mergers and spin-outs, with new entities being created from a larger parent organisation.

Over the last couple of years, I have supported organisations going through all three of these changes, focusing on the potential impact of the change on the cybersecurity & business resilience of the organisation concerned. The results have consistently been concerning.

The first learning point is that very few mergers are completed in the expected timescale, and the process of fully merging infrastructure can take several years. As an example, one organisation I work with was formed from a merger of 9 organisations but has over 15 legacy HR & Finance systems still active, as some of the 9 original organisations were themselves formed from yet more historical mergers which were never really completed. Trying to coherently map risks or produce an enterprise security plan for this type of environment is incredibly challenging, yet I rarely see such risks documented in an Enterprise Risk Register.

The standard “merger” due-diligence template goes into great detail looking at financial & legal status issues, but rarely seems to consider the potential liability associated with linking into an organisation with a seriously compromised infrastructure. This is doubly surprising if you consider the well reported fact that having penetrated an organisation, most attackers reside within the organisation’s network for over 100 days before discovery, so there is a very real risk of starting work on merging infrastructure, whilst being observed by an interested resident attacker, who will be keenly looking out for an opportunity to vector into the core organisation’s networks.

It isn’t as if this is particularly difficult, there are many vendors (including Occamsec) who understand this space, and several relatively lightweight tools available to conduct a remote vulnerability assessment (including Occamsec’s excellent Vendor Assessment Tool) as an initial due-diligence exercise which is likely to show what further investigative & remedial work is necessary (in my experience it always is!).

So, why isn’t this being done – in my view it is predominantly because the processes of providing strategic due-diligence (and indeed internal & external audit) during a merger or acquisition, simply haven’t kept pace with the level of threat and potential organisation-breaking impact of an ineffective cybersecurity regime.

Most Boards struggle to understand cybersecurity, but in my opinion, there is a simple test, which any Board Member can apply, it is to ask where cybersecurity & business continuity risk is featured on the Enterprise Risk Register. In my experience those organisations where cybersecurity risk is visible at Board level do more to monitor and mitigate the risk. Those where the risk is not featured in the ERR live to regret it later.