Cybersecurity Is Essential for M&A Due Diligence (and Easier than You Think)

1. A Spotlight on Cybersecurity as Part of M&A Due DiligenceMerger and acquisition activity has been accelerating worldwide.1 Unfortunately, so, too, have

cybercrime and “hacktivism” events targeting financial institutions, retailers and manufacturers,

healthcare, technology and media companies, and many others. Organizations of even moderate

size are virtually certain to be targeted by adversaries intent on stealing information or disrupting

business.

The convergence of these trends has put a spotlight on cybersecurity readiness as an issue for

mergers and acquisition. As one expert puts it:

“The ability to understand the data environment is essential from a risk standpoint, but also

from a valuation standpoint. … Data is a valuable corporate asset, whether it is consumer

data, employee data or a company’s intellectual property. Whether a company has taken

steps to properly protect its data and the ability to understand the data environment is as an

important a part of the M&A process as identifying ownership of the entities.”2

Acquiring companies and their advisors are aware of these facts, but are struggling to act on them.

Deloitte found that 68% of firms consider privacy and security concerns to be a “high” or “very

high” priority when considering acquisition targets. However, in a survey conducted by Freshfields

Bruckhaus Deringer, 78% of respondents stated that cybersecurity is not analyzed in depth or

quantified as part of their M&A due diligence process, and 66% said that cyber risks are “very

difficult” to quantify in the time available.3

This white paper reviews why cybersecurity is an essential part of M&A due diligence, and examines

three methods for conducting cybersecurity due diligence. One of these methods, Security Ratings,

makes it surprisingly easy to rate the security performance of potential merger and acquisition

partners.

2. Why Cybersecurity Is Essential for M&A Due DiligenceThere are three primary reasons why assessing the cybersecurity capabilities of a potential

acquisition target or merger partner is a critical part of a due diligence effort.

Valuation of the Acquired Company: It is clear from today’s headlines that one strong attack can

have a major impact on the revenue and profitability of any organization. Sales at Target fell 16%

the quarter after it announced a major data breach.4 In one recent survey, 29% of respondents

claimed that DDOS attacks cost their company more than $100,000 per hour (and another 37%

said $10,000-$100,000 per hour).5 Numerous malware attacks have caused significant disruption to

business processes and employee productivity.

1 According to Thomson Reuters, worldwide M&A activity surged 59% in the first nine months of 2014 compared with the same period in 2013, to $2.7 trillion USD. During that period, just more than 28,300 deals were announced. “Mergers & Acquisition Review, First Nine Months 2014,” Thomson Reuters.

2 “Top Ten Key Privacy and Security Due Diligence Requests for Mergers and Acquisitions,” David F. Katz3 “M&A trends report 2014,” Deloitte; “Cyber Security in M&A,” Freshfields Bruckhaus Deringer, July 20144 “After the Big Data Breach, Has Target Learned Its Lesson?” ABCNews.com, June 15, 20145 “Annual DDoS Attacks and Impact Report 2014,” Neustar

PAGE 2 © TechTarget 2014

The value of an acquired entity can be significantly reduced if its cybersecurity defenses fail to stop

threats of this magnitude—with significant consequences for executives. As Urs E. Gattiker describes

the issue in Information Systems Control Journal:

“Conducting an audit of IT security and risk management as

part of the due diligence process provides assurance to senior

management that the terms and conditions of the takeover

are fair and realistic. … Being negligent in thoroughly

assessing IT security and risk management before the firm

agrees to a merger with, or takeover by, another firm may

cause active investors to hold management liable for the lack

of due care.”6

Risk Profile of the Acquiring Company: The impact of a

cybersecurity failure by an acquired organization can extend

beyond reducing expected profit contributions to the parent

company. It can lead to embarrassment and image problems (see

sidebar about TripAdvisor and Viator).

There is also potential for an inadequately defended acquisition

to provide an avenue that attackers can use to penetrate the

network of the parent company. Adversaries have become adept

at exploiting weaknesses in business partners and related entities

to reach inside a larger organization to steal protected personal

information, intellectual property and confidential financial

information. To cite just two examples, the Target data breach

was traced back to network credentials stolen from a third-party

vendor. Recently a cybercriminal group called Fin4 targeted

investment banking, legal and compliance service providers to

extract information on M&A activity, product announcements,

and other news that could move the stock prices of healthcare

and pharmaceutical companies.7

In fact, an acquisition or merger can provide ammunition for phishing attacks. In 2013, customers of

Poland’s mBank received SMS messages stating that, because of a recent “brand merger” of several

subsidiaries under the mBank umbrella, they needed to transfer their funds to a new account

(which of course belonged to the attackers).8

6 “Merger and Acquisition: Effective Information Security Depends on Strategic Security Metrics,” Urs E. Gattiker, Information Systems Control Journal, 2007

7 “Target Hackers Broke in Via HVAC Company,” KrebsonSecurity, Feb. 5, 2014; “Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email,” The New York Times, Dec. 1, 2014; TheStreet.com: Sony Breach has Cybersecurity Industry Scrambling for Answers, Dec. 5, 2014

8 “300,000 Compromised Routers Redirecting Traffic to Attacker Sites,” ThreatPost, March 3, 2014. Also mentioned on page 34 of the “2014 Data Breach Information Report,” Verizon

PAGE 3

AUGUST 2014TripAdvisor Finalizes the Acquisition of ViatorNEWTON, Mass., Aug. 11, 2014 /

PRNewswire/ -- TripAdvisor®, the world's

largest travel site, today announced it

has finalized the acquisition of Viator,

a leading resource for researching and

booking destination activities around the

world. … “We’re thrilled to add Viator

to the TripAdvisor family and to grow in

the attractions and activities space,” said

Stephen Kaufer, president and CEO of

TripAdvisor, Inc.…

SEPTEMBER 2014TripAdvisor’s Viator Suffers Payment Card Data Breach, 1.4 Million AffectedViator, the tour-booking company

acquired this summer by TripAdvisor for

$200 million, is notifying roughly 1.4

million customers that their payment

card data and personal details might

have been compromised following a

data breach…

(SecurityWeek.com, Sept. 24, 2014)

Cost of Remediation and Integration: Due diligence can also reveal that significant expenditures

are needed to bring an acquired company up to the necessary standards of cybersecurity. These can

include the costs of revising policies and procedures, increasing staffing, upgrading technology and

remediating vulnerabilities identified during the due diligence process.

Improved knowledge can sometimes allow the acquiring company to renegotiate the terms of the

deal, or make adjustments in the integration plan (e.g., delay integration of IT systems until security

issues have been addressed). In extreme cases, the findings could lead to terminating the deal.9

Of course, due diligence can have positive effects as well. Better-than-expected results can give the

acquirer more confidence in the value of the acquisition, and accelerate plans for IT systems to be

integrated after the acquisition or merger is complete.

3. Methods of Cybersecurity Due DiligenceToday’s organizations have three major options for due diligence on cybersecurity: audit

questionnaire, penetration (pen) testing, and Security Ratings. Some of the key characteristics of the

three are shown in Table 1.

9 According to the Freshfields Bruckhaus Deringer “Cyber Security in M&A” survey, 90% of respondents said that finding a cyber incident during due diligence could reduce the value of a deal, and 83% said a deal could be abandoned.

Audit Questionnaires

Penetration Testing

Security Ratings

Purpose

Cost

Intrusiveness

Objectivity

Updates

Evaluate policies, procedures and

cybersecurity awareness

Medium

Requires staff participation

Subjective

One-time snapshot

Test defenses against common attack

methods

High

Can disrupt security or business processes

Objective

Periodic updates (extra cost)

Measure and rate security performance in

practice, over time

Low

Nonintrusive

Objective

Continuous updates

Evaluates suppliers and

partnersPossible, but atypical No Optional

Figure 1: Characteristics of three due diligence methods for cybersecurity

PAGE 4 © TechTarget 2014

Audit Questionnaires

Audit questionnaires are designed to gather information from the target company about many

aspects of IT operations, including cybersecurity. A number of standardized questionnaires are

available. Questionnaires typically cover topics such as organizational structure, privacy and security

policies, network architecture, security technologies (firewalls, intrusion prevention systems,

antimalware, virtual private networks) access control and identity management, configuration

management and patching, incident response, compliance, business continuity and disaster

recovery, and many other topics.

Audit questionnaires are extremely important to gain an understanding

of organizations’ policies, infrastructure and security awareness. However,

they also have very clear limitations. They are subjective, and depend on

the willingness and ability of the organization’s IT team—which has an

incentive to paint a rosy picture. They are very time-consuming for both

the staff completing them and auditors evaluating them. Finally, they shed

no insight into the blind spots of the IT security team, and blind spots are

exactly what adversaries exploit.

PAGE 5

“It ain’t what you don't

know that gets you into

trouble. It’s what you

know for sure that just

ain’t so.”Mark Twain

Penetration Testing

Penetration (or pen) testing addresses a number of the weaknesses of questionnaire-based

information gathering. Security experts test the organization’s defenses by simulating the actions of

attackers. This method is objective, and can be very valuable for exposing “what you know that just

ain’t so.”

Penetration testing beyond a cursory level can be expensive, however. The more comprehensive

the testing, the more expensive it gets. Tests provide only point-in-time snapshots (unless they are

repeated, at extra cost). Although there are ways to limit the impact, penetration testing can be

intrusive and interfere with business processes and normal security procedures.

Finally, penetration testing is backwards-looking. Penetration testers typically use well-known tools

and methods to find common vulnerabilities. They rarely use the cutting-edge tools and methods

employed by the most innovative cybercriminals and hackers.

Security Ratings

Security Ratings are a relatively new method of benchmarking information security performance,

pioneered by BitSight Technologies. Sensors are placed throughout the Internet to collect security

data. BitSight uses this data to rate companies on risk vectors that fall into two categories:

• Event ratings, which are based on observed compromises of a company’s network in areas

such as botnet infections, spam propagation, servers within the organization that are

observed engaging in malicious activity, and devices attempting to communicate with

servers that are not hosting any legitimate services.

• “Diligence” ratings, which reflect steps a company takes to prevent attacks, such as the

proper configuration of Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates

and of Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records, as

well as publically disclosed data breach events.

The metrics in each area can include the number of issues observed, the severity of each one, and

the time before the issue or vulnerability is resolved.

In BitSight Security Ratings reports, ratings in each area are summarized in a grade, and a company-

wide assessment is summarized in a single security rating number that falls on a scale of 250-900,

similar to the familiar credit ratings. BitSight Security Ratings range from 250-639 for “Basic,”

640-739 for “Intermediate,” and 740-900 for “Advanced” performance.

Security Ratings have a number of advantages:

• They are fact-based and objective.

• A single service covers a full range of information, including historical trends.

PAGE 6 © TechTarget 2014

• The ratings process is nonintrusive, requiring no involvement from the monitored company,

and causing no disruption to business or security processes.

• The ratings capture key issues that are valid for newly developed threats; there are no blind

spots or dependencies on staff members keeping their knowledge current.

4. Additional ConsiderationsSecurity Ratings address two of the concerns described in the Freshfields Bruckhaus Deringer survey

mentioned earlier: analyzing cybersecurity in depth and quantifying the results, and doing so in the

limited time available.

Security Ratings are often used to guide and improve IT due diligence. They point to areas where

in-depth analysis is needed. They help auditors hold productive discussions with the IT group based

on facts rather than opinions. If the ratings are high, acquiring companies can have confidence that

only a standard level of audit questionnaires and pen testing are required—if needed at all—and

dispense with some expensive measures.

Because they are nonintrusive and use publicly available information, Security Ratings can assess the

major suppliers and business partners of an acquisition candidate. This gives the acquiring company

a chance to assess the security of the entire supply chain.

Finally, Security Ratings can provide guidance on where to focus improvement efforts after the

acquisition or merger is complete. For example, if data shows an above-average number of botnet

infections, then the company might want to invest in a secure Web gateway or another technology

that addresses that problem. If many of the TSL/SSL certificates are misconfigured or have short

key lengths, then the organization may need to enhance its TSL/SSL infrastructure. If ratings show

that the number of security events is below average for the industry yet the duration of each one

is longer than the industry average, this may indicate that the organization is successful in blocking

threats, but not in discovering those that have gained a foothold. That organization should invest

in building its incident response capabilities in order to protect its information assets and those of

the acquiring company.

For more information on how to improve cybersecurity due diligence for M&A, please visit http://info.bitsighttech.com/mergers-and-acquisitions

PAGE 7