In the first part of this series of posts, “Prepping for Cybersecurity Risks Before a M&A”, we discussed the importance of involving IT and security teams in the early stages of mergers and acquisitions.
In this second part, we look into the cybersecurity risks and the role of asset inventory in the next stage of mergers and acquisitions.
Cybersecurity risks and incidents can materially alter mergers and acquisitions.
This is true even after organizations entered a contract to begin negotiations and continue with a deal.
Spirit Aerosystems, which manufactures aircrafts, was set to acquire Asco, an aerospace component maker, in 2018 for $650 million. But the value of the deal dropped to $420 million in 2019, after Asco’s business was disrupted by a ransomware attack. The proposed deal was ultimately canceled in 2020.
The risks — and the fallout — are real. It’s imperative to involve IT and security professionals in the early stages. An Accenture study found that 92% of CIOs said their cybersecurity due diligence uncovered key risks or resulted in a material impact in their deals.
Meanwhile, the threats — and attacks — to mergers and acquisitions are increasing. And they’re happening so much that the FBI issued a warning.
The private industry notification said that ransomware gangs were targeting organizations involved in mergers and acquisitions and other significant financial events. This is what often happened: Before launching an attack, the agency said threat actors researched publicly available information, stock valuations, and material non-public information. If a company didn’t pay a ransom quickly enough, threat actors said they’d publicly disclose this sensitive information.
As for the warning, it comes after several incidents. At least three publicly traded companies are known to be victims of ransomware attacks at the negotiating stage of merger and acquisition activity. And out of these three deals, two were in the midst of private negotiations.
One of the key aspects of mergers and acquisitions is inventorying, managing, and security of the assets of each organization.
Ensuring all these assets — workstations, cloud services, devices, and more — are protected is always crucial for IT and security professionals.
It’s even more so during mergers and acquisitions. These are some of the areas where these professionals have to focus on when it comes to asset management:
And asset management — from getting an inventory to understanding risk — is a critical ongoing process throughout the merger and acquisition lifecycle.
These professionals for each organization need to figure out the assets included in the deal. They’re trying to figure out the following asset-related questions:
The answers to each of these questions will determine what’s going to be the entire cybersecurity attack surface, what’s the overall operational strategy, and what's the best way to move forward.
How this all plays out is critical to one of the most important (and precarious) stages for organizations. Sometimes, the risks involved in mergers and acquisitions are just too much. For 35% of respondents, cybersecurity risks are too great for a deal to continue, according to IBM’s Assessing Cyber Risk in M&A report.
And it’s here where a complete asset inventory is key.
Conducting asset inventory is one of the most cumbersome tasks for IT and security professionals.
It takes on average 86 person-hours to manually compile an asset inventory. They’re likely doing this task with eight different tools that weren’t built for this. Due to the constant changes in cybersecurity environments, the results are already obsolete by the time the inventory is finished.
Now imagine doing all of this work to understand a foreign environment with quite a bit of differences in their tools, data sets, and infrastructure. And then there’s the unfamiliar users, groups, and identities.
It’s (well, frankly) a lot.
And this is where cybersecurity asset management comes into play.
Cybersecurity asset management platforms track all devices, cloud services, software, and users no matter where they’re located. The top platforms like Axonius do this by leveraging an organization’s existing data. These platforms allow teams to continually conduct up-to-date inventory in real time. They provide IT and security professionals with the capability to automatically discover security gaps, and allow them to customize triggered actions when an asset or user deviates from policies. All of this helps these teams minimize the attack surface.
The best platforms initiate these actions in the background, so these teams can move away from the repetitive, manual tasks with asset inventory to be even more proactive.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010