Companies assessing an acquisition target have innumerable measurements to take. From the proposed acquiree’s financial records, product roadmaps, and operational processes, to sales and marketing activities, legal issues, and people procedures, the list of due diligence activities seems endless. And while most companies consider the business benefits of merging two companies’ data records (e.g., customer lists) and departmental systems (e.g., customer database), fewer think about the quality and security state of the technology assets they’re about to inherit. At a deeper, more fundamental level, most companies aren’t even appropriately equipped with a full technology asset inventory of the environment(s) they might acquire.
Nonetheless, failing to obtain a thorough asset inventory and conduct proper IT and cybersecurity due diligence leaves an acquirer open to all flavors of business and operational risk (aside from the obvious cyber risk). According to a survey on acquisitions by Forescout, “Only 36% of respondents strongly agree that their IT team is given time to review the company’s cybersecurity standards, processes, and protocols before their company acquires another company.” What’s more, the study continues to say that only 37% of IT decision makers feel their team is equipped to conduct a cybersecurity assessment for the purpose of acquisition.
Still, as technology is the underpinning of most companies’ operations and the information repositories upon which strategic decisions are made, cyber due diligence is mandatory. Without it, acquirers could miss the insights that put their companies at serious risk — even outside of the cyber realm.
For instance, in 2017 Yahoo! disclosed to then-acquirer, Verizon, that its internet business had suffered three data breaches resulting in the loss of 3 billion customer account records. The acquisition price was thus decreased by $350 million USD. In April 2020, Diamond Eagle Acquisition Corporation renegotiated terms with SBTech, an online betting company, after it was revealed that the acquisition target had been the victim of a recent ransomware attack. The total cost to SBTech: $30 million USD. There are several additional examples in which acquirers had to deal with the fallout from a breach following an acquisition, resulting in time spent, resources drained, and money lost. All because due diligence wasn’t completed. Regardless, new technology integration introduces the potential for vulnerabilities and thus heightened risk.
Cybersecurity due diligence can’t be boiled down to an easy checklist of steps, but there are a few things both potential acquirers and acquirees can do to get ready for a merger or acquisition.
For the acquiring company:
- Collect tech information: Cyber due diligence starts with data and information collection. Your company will need to know all technology assets in use in the target company, how the assets are used, by whom, and the security state of the assets and processes by which the assets are accessed. Gather documents about technology and processes, including but not limited to audits and risk assessments.
- Learn the law: Your company will need to understand the technology- and cyber-related legal and compliance requirements of the to-be acquired company. Especially when the target acquisition is in a different geography or different industry, there may be requirements outside your operating area of expertise. Involve outside legal and compliance to ensure you’re not missing any major requirements or red flags.
- Focus on business needs: Identify any business risks introduced as a result of technology integration and then determine your risk tolerance. Risks can be big or small. For instance, redundant systems may need to be migrated or merged, introducing the potential for downtime or the need to train users. In a more impactful use case, you may find the acquisition target has experienced numerous security issues in the past, indicating that the company’s security program is less mature than anticipated or required, which could mean additional, yet-uncovered security risks that could lead to financial, reputational, and operational loss down the road if not properly managed.
- Size up risk: Technology and cyber risk assessments should be part and parcel of every company’s operating plan (in the best scenarios, they are also part of the strategic plan to mitigate business risk). However, many companies skimp or have to skimp due to lack of resources. Collect all reports from third-party risk/vulnerability assessments and audits, and review the results of automated risk/vulnerability scanning. When possible, get permission to run tests (e.g., pen tests, red teaming, audits) against the company’s systems to identify vulnerabilities and determine which can be remediated, which are within your risk tolerance, and which may be too far out of scope.
- Recommend risk remediation: As an acquiring company, you may have little impact on how the acquiree handles identified vulnerabilities. The best course of action is to recommend remediation (where plausible), review remediation activities, then reassess your situation. However, a company’s willingness to remediate cyber vulnerabilities will demonstrate their attitude toward secure practices and gives you a window into their security culture. And it will give you the “after” picture of the company’s security state on which to make more informed decisions.
For the to-be acquired company, the to-dos should be focused on the same items and activities to meet your potential acquirer’s needs or demands:
- Start with due diligence: Present documents and evidence that help the acquiring company understand your asset inventory, risk posture, and IT-related processes.
- Share legal and compliance requirements: Help your prospective parent company understand the regulatory requirements your company/industry must meet.
- Communicate open vulnerabilities and risks: The first key is knowing your company’s open vulnerabilities. Make sure you have the right tools and processes in place to accurately reflect your security state, along with a way to prioritize them so that every vulnerability isn’t a fire drill or a deal breaker.
- Conduct or present findings from risk assessments: Be open and honest about the tests and reviews of your IT environment. Your company will fare much better during negotiations and the ensuing integration if there aren’t any surprises.
- Remediate risks: When appropriate and possible, find ways to drive down organizational risk through vulnerability management and business alignment. While it won’t be possible to get your risk to “zero,” learn what matters most and focus on aiding those business goals through risk mitigation and threat modeling.