In the first part of this series of posts, “Prepping for Cybersecurity Risks Before a M&A”, we discussed the importance of involving IT and security teams in the early stages of mergers and acquisitions.
In this second part, we look into the cybersecurity risks and the role of asset inventory in the next stage of mergers and acquisitions.
Cybersecurity risks and incidents can materially alter mergers and acquisitions.
This is true even after organizations entered a contract to begin negotiations and continue with a deal.
Spirit Aerosystems, which manufactures aircrafts, was set to acquire Asco, an aerospace component maker, in 2018 for $650 million. But the value of the deal dropped to $420 million in 2019, after Asco’s business was disrupted by a ransomware attack. The proposed deal was ultimately canceled in 2020.
The risks — and the fallout — are real. It’s imperative to involve IT and security professionals in the early stages. An Accenture study found that 92% of CIOs said their cybersecurity due diligence uncovered key risks or resulted in a material impact in their deals.
Mergers and acquisitions: a growing target for cyber criminals
Meanwhile, the threats — and attacks — to mergers and acquisitions are increasing. And they’re happening so much that the FBI issued a warning.
The private industry notification said that ransomware gangs were targeting organizations involved in mergers and acquisitions and other significant financial events. This is what often happened: Before launching an attack, the agency said threat actors researched publicly available information, stock valuations, and material non-public information. If a company didn’t pay a ransom quickly enough, threat actors said they’d publicly disclose this sensitive information.
As for the warning, it comes after several incidents. At least three publicly traded companies are known to be victims of ransomware attacks at the negotiating stage of merger and acquisition activity. And out of these three deals, two were in the midst of private negotiations.
The role of asset management in merger and acquisition activity
One of the key aspects of mergers and acquisitions is inventorying, managing, and security of the assets of each organization.
Ensuring all these assets — workstations, cloud services, devices, and more — are protected is always crucial for IT and security professionals.
It’s even more so during mergers and acquisitions. These are some of the areas where these professionals have to focus on when it comes to asset management:
- Negotiations: Understanding the full scope of the environment being acquired or integrated.
- Due diligence: Having the full context of risks and benefits.
- Closing the deal: Planning a strategy around combining assets.
And asset management — from getting an inventory to understanding risk — is a critical ongoing process throughout the merger and acquisition lifecycle.
These professionals for each organization need to figure out the assets included in the deal. They’re trying to figure out the following asset-related questions:
- How many assets (devices, cloud instances, SaaS apps, and user accounts) are they acquiring or integrating?
- What vulnerabilities are present?
- What are the configuration details?
- Who has access to what?
- What security controls are in place?
- What IT and security tools do they have? Where do they overlap?
The answers to each of these questions will determine what’s going to be the entire cybersecurity attack surface, what’s the overall operational strategy, and what's the best way to move forward.
How this all plays out is critical to one of the most important (and precarious) stages for organizations. Sometimes, the risks involved in mergers and acquisitions are just too much. For 35% of respondents, cybersecurity risks are too great for a deal to continue, according to IBM’s Assessing Cyber Risk in M&A report.
And it’s here where a complete asset inventory is key.
A proactive approach to asset inventory
Conducting asset inventory is one of the most cumbersome tasks for IT and security professionals.
It takes on average 86 person-hours to manually compile an asset inventory. They’re likely doing this task with eight different tools that weren’t built for this. Due to the constant changes in cybersecurity environments, the results are already obsolete by the time the inventory is finished.
Now imagine doing all of this work to understand a foreign environment with quite a bit of differences in their tools, data sets, and infrastructure. And then there’s the unfamiliar users, groups, and identities.
It’s (well, frankly) a lot.
And this is where cybersecurity asset management comes into play.
Cybersecurity asset management platforms track all devices, cloud services, software, and users no matter where they’re located. The top platforms like Axonius do this by leveraging an organization’s existing data. These platforms allow teams to continually conduct up-to-date inventory in real time. They provide IT and security professionals with the capability to automatically discover security gaps, and allow them to customize triggered actions when an asset or user deviates from policies. All of this helps these teams minimize the attack surface.
The best platforms initiate these actions in the background, so these teams can move away from the repetitive, manual tasks with asset inventory to be even more proactive.
