Cybersecurity Is Essential for M&A Due Diligencedocs.media.bitpipe.com/io_12x/io_120202/item... ·...
Transcript of Cybersecurity Is Essential for M&A Due Diligencedocs.media.bitpipe.com/io_12x/io_120202/item... ·...
Cybersecurity Is Essential for M&A Due Diligence (and Easier than You Think)
1. A Spotlight on Cybersecurity as Part of M&A Due DiligenceMerger and acquisition activity has been accelerating worldwide.1 Unfortunately, so, too, have
cybercrime and “hacktivism” events targeting financial institutions, retailers and manufacturers,
healthcare, technology and media companies, and many others. Organizations of even moderate
size are virtually certain to be targeted by adversaries intent on stealing information or disrupting
business.
The convergence of these trends has put a spotlight on cybersecurity readiness as an issue for
mergers and acquisition. As one expert puts it:
“The ability to understand the data environment is essential from a risk standpoint, but also
from a valuation standpoint. … Data is a valuable corporate asset, whether it is consumer
data, employee data or a company’s intellectual property. Whether a company has taken
steps to properly protect its data and the ability to understand the data environment is as an
important a part of the M&A process as identifying ownership of the entities.”2
Acquiring companies and their advisors are aware of these facts, but are struggling to act on them.
Deloitte found that 68% of firms consider privacy and security concerns to be a “high” or “very
high” priority when considering acquisition targets. However, in a survey conducted by Freshfields
Bruckhaus Deringer, 78% of respondents stated that cybersecurity is not analyzed in depth or
quantified as part of their M&A due diligence process, and 66% said that cyber risks are “very
difficult” to quantify in the time available.3
This white paper reviews why cybersecurity is an essential part of M&A due diligence, and examines
three methods for conducting cybersecurity due diligence. One of these methods, Security Ratings,
makes it surprisingly easy to rate the security performance of potential merger and acquisition
partners.
2. Why Cybersecurity Is Essential for M&A Due DiligenceThere are three primary reasons why assessing the cybersecurity capabilities of a potential
acquisition target or merger partner is a critical part of a due diligence effort.
Valuation of the Acquired Company: It is clear from today’s headlines that one strong attack can
have a major impact on the revenue and profitability of any organization. Sales at Target fell 16%
the quarter after it announced a major data breach.4 In one recent survey, 29% of respondents
claimed that DDOS attacks cost their company more than $100,000 per hour (and another 37%
said $10,000-$100,000 per hour).5 Numerous malware attacks have caused significant disruption to
business processes and employee productivity.
1 According to Thomson Reuters, worldwide M&A activity surged 59% in the first nine months of 2014 compared with the same period in 2013, to $2.7 trillion USD. During that period, just more than 28,300 deals were announced. “Mergers & Acquisition Review, First Nine Months 2014,” Thomson Reuters.
2 “Top Ten Key Privacy and Security Due Diligence Requests for Mergers and Acquisitions,” David F. Katz3 “M&A trends report 2014,” Deloitte; “Cyber Security in M&A,” Freshfields Bruckhaus Deringer, July 20144 “After the Big Data Breach, Has Target Learned Its Lesson?” ABCNews.com, June 15, 20145 “Annual DDoS Attacks and Impact Report 2014,” Neustar
PAGE 2 © TechTarget 2014
The value of an acquired entity can be significantly reduced if its cybersecurity defenses fail to stop
threats of this magnitude—with significant consequences for executives. As Urs E. Gattiker describes
the issue in Information Systems Control Journal:
“Conducting an audit of IT security and risk management as
part of the due diligence process provides assurance to senior
management that the terms and conditions of the takeover
are fair and realistic. … Being negligent in thoroughly
assessing IT security and risk management before the firm
agrees to a merger with, or takeover by, another firm may
cause active investors to hold management liable for the lack
of due care.”6
Risk Profile of the Acquiring Company: The impact of a
cybersecurity failure by an acquired organization can extend
beyond reducing expected profit contributions to the parent
company. It can lead to embarrassment and image problems (see
sidebar about TripAdvisor and Viator).
There is also potential for an inadequately defended acquisition
to provide an avenue that attackers can use to penetrate the
network of the parent company. Adversaries have become adept
at exploiting weaknesses in business partners and related entities
to reach inside a larger organization to steal protected personal
information, intellectual property and confidential financial
information. To cite just two examples, the Target data breach
was traced back to network credentials stolen from a third-party
vendor. Recently a cybercriminal group called Fin4 targeted
investment banking, legal and compliance service providers to
extract information on M&A activity, product announcements,
and other news that could move the stock prices of healthcare
and pharmaceutical companies.7
In fact, an acquisition or merger can provide ammunition for phishing attacks. In 2013, customers of
Poland’s mBank received SMS messages stating that, because of a recent “brand merger” of several
subsidiaries under the mBank umbrella, they needed to transfer their funds to a new account
(which of course belonged to the attackers).8
6 “Merger and Acquisition: Effective Information Security Depends on Strategic Security Metrics,” Urs E. Gattiker, Information Systems Control Journal, 2007
7 “Target Hackers Broke in Via HVAC Company,” KrebsonSecurity, Feb. 5, 2014; “Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email,” The New York Times, Dec. 1, 2014; TheStreet.com: Sony Breach has Cybersecurity Industry Scrambling for Answers, Dec. 5, 2014
8 “300,000 Compromised Routers Redirecting Traffic to Attacker Sites,” ThreatPost, March 3, 2014. Also mentioned on page 34 of the “2014 Data Breach Information Report,” Verizon
PAGE 3
AUGUST 2014TripAdvisor Finalizes the Acquisition of ViatorNEWTON, Mass., Aug. 11, 2014 /
PRNewswire/ -- TripAdvisor®, the world's
largest travel site, today announced it
has finalized the acquisition of Viator,
a leading resource for researching and
booking destination activities around the
world. … “We’re thrilled to add Viator
to the TripAdvisor family and to grow in
the attractions and activities space,” said
Stephen Kaufer, president and CEO of
TripAdvisor, Inc.…
SEPTEMBER 2014TripAdvisor’s Viator Suffers Payment Card Data Breach, 1.4 Million AffectedViator, the tour-booking company
acquired this summer by TripAdvisor for
$200 million, is notifying roughly 1.4
million customers that their payment
card data and personal details might
have been compromised following a
data breach…
(SecurityWeek.com, Sept. 24, 2014)
Cost of Remediation and Integration: Due diligence can also reveal that significant expenditures
are needed to bring an acquired company up to the necessary standards of cybersecurity. These can
include the costs of revising policies and procedures, increasing staffing, upgrading technology and
remediating vulnerabilities identified during the due diligence process.
Improved knowledge can sometimes allow the acquiring company to renegotiate the terms of the
deal, or make adjustments in the integration plan (e.g., delay integration of IT systems until security
issues have been addressed). In extreme cases, the findings could lead to terminating the deal.9
Of course, due diligence can have positive effects as well. Better-than-expected results can give the
acquirer more confidence in the value of the acquisition, and accelerate plans for IT systems to be
integrated after the acquisition or merger is complete.
3. Methods of Cybersecurity Due DiligenceToday’s organizations have three major options for due diligence on cybersecurity: audit
questionnaire, penetration (pen) testing, and Security Ratings. Some of the key characteristics of the
three are shown in Table 1.
9 According to the Freshfields Bruckhaus Deringer “Cyber Security in M&A” survey, 90% of respondents said that finding a cyber incident during due diligence could reduce the value of a deal, and 83% said a deal could be abandoned.
Audit Questionnaires
Penetration Testing
Security Ratings
Purpose
Cost
Intrusiveness
Objectivity
Updates
Evaluate policies, procedures and
cybersecurity awareness
Medium
Requires staff participation
Subjective
One-time snapshot
Test defenses against common attack
methods
High
Can disrupt security or business processes
Objective
Periodic updates (extra cost)
Measure and rate security performance in
practice, over time
Low
Nonintrusive
Objective
Continuous updates
Evaluates suppliers and
partnersPossible, but atypical No Optional
Figure 1: Characteristics of three due diligence methods for cybersecurity
PAGE 4 © TechTarget 2014
Audit Questionnaires
Audit questionnaires are designed to gather information from the target company about many
aspects of IT operations, including cybersecurity. A number of standardized questionnaires are
available. Questionnaires typically cover topics such as organizational structure, privacy and security
policies, network architecture, security technologies (firewalls, intrusion prevention systems,
antimalware, virtual private networks) access control and identity management, configuration
management and patching, incident response, compliance, business continuity and disaster
recovery, and many other topics.
Audit questionnaires are extremely important to gain an understanding
of organizations’ policies, infrastructure and security awareness. However,
they also have very clear limitations. They are subjective, and depend on
the willingness and ability of the organization’s IT team—which has an
incentive to paint a rosy picture. They are very time-consuming for both
the staff completing them and auditors evaluating them. Finally, they shed
no insight into the blind spots of the IT security team, and blind spots are
exactly what adversaries exploit.
PAGE 5
“It ain’t what you don't
know that gets you into
trouble. It’s what you
know for sure that just
ain’t so.”Mark Twain
Penetration Testing
Penetration (or pen) testing addresses a number of the weaknesses of questionnaire-based
information gathering. Security experts test the organization’s defenses by simulating the actions of
attackers. This method is objective, and can be very valuable for exposing “what you know that just
ain’t so.”
Penetration testing beyond a cursory level can be expensive, however. The more comprehensive
the testing, the more expensive it gets. Tests provide only point-in-time snapshots (unless they are
repeated, at extra cost). Although there are ways to limit the impact, penetration testing can be
intrusive and interfere with business processes and normal security procedures.
Finally, penetration testing is backwards-looking. Penetration testers typically use well-known tools
and methods to find common vulnerabilities. They rarely use the cutting-edge tools and methods
employed by the most innovative cybercriminals and hackers.
Security Ratings
Security Ratings are a relatively new method of benchmarking information security performance,
pioneered by BitSight Technologies. Sensors are placed throughout the Internet to collect security
data. BitSight uses this data to rate companies on risk vectors that fall into two categories:
• Event ratings, which are based on observed compromises of a company’s network in areas
such as botnet infections, spam propagation, servers within the organization that are
observed engaging in malicious activity, and devices attempting to communicate with
servers that are not hosting any legitimate services.
• “Diligence” ratings, which reflect steps a company takes to prevent attacks, such as the
proper configuration of Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates
and of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records, as
well as publically disclosed data breach events.
The metrics in each area can include the number of issues observed, the severity of each one, and
the time before the issue or vulnerability is resolved.
In BitSight Security Ratings reports, ratings in each area are summarized in a grade, and a company-
wide assessment is summarized in a single security rating number that falls on a scale of 250-900,
similar to the familiar credit ratings. BitSight Security Ratings range from 250-639 for “Basic,”
640-739 for “Intermediate,” and 740-900 for “Advanced” performance.
Security Ratings have a number of advantages:
• They are fact-based and objective.
• A single service covers a full range of information, including historical trends.
PAGE 6 © TechTarget 2014
• The ratings process is nonintrusive, requiring no involvement from the monitored company,
and causing no disruption to business or security processes.
• The ratings capture key issues that are valid for newly developed threats; there are no blind
spots or dependencies on staff members keeping their knowledge current.
4. Additional ConsiderationsSecurity Ratings address two of the concerns described in the Freshfields Bruckhaus Deringer survey
mentioned earlier: analyzing cybersecurity in depth and quantifying the results, and doing so in the
limited time available.
Security Ratings are often used to guide and improve IT due diligence. They point to areas where
in-depth analysis is needed. They help auditors hold productive discussions with the IT group based
on facts rather than opinions. If the ratings are high, acquiring companies can have confidence that
only a standard level of audit questionnaires and pen testing are required—if needed at all—and
dispense with some expensive measures.
Because they are nonintrusive and use publicly available information, Security Ratings can assess the
major suppliers and business partners of an acquisition candidate. This gives the acquiring company
a chance to assess the security of the entire supply chain.
Finally, Security Ratings can provide guidance on where to focus improvement efforts after the
acquisition or merger is complete. For example, if data shows an above-average number of botnet
infections, then the company might want to invest in a secure Web gateway or another technology
that addresses that problem. If many of the TSL/SSL certificates are misconfigured or have short
key lengths, then the organization may need to enhance its TSL/SSL infrastructure. If ratings show
that the number of security events is below average for the industry yet the duration of each one
is longer than the industry average, this may indicate that the organization is successful in blocking
threats, but not in discovering those that have gained a foothold. That organization should invest
in building its incident response capabilities in order to protect its information assets and those of
the acquiring company.
For more information on how to improve cybersecurity due diligence for M&A, please visit http://info.bitsighttech.com/mergers-and-acquisitions
PAGE 7