C-suite executives must be aware of all M&A risks to lead the business on a safe path. Plenty has been written on due diligence disasters in general1 and there are whole books and even classes on this subject at most major business schools. Less well known by senior executives are the specific issues associated with doing proper due diligence with IT and cybersecurity. What IT security questions should accompany the M&A due diligence process to reduce the risk?
Poor network security can expose the company to significant liabilities months and even years after an M&A event. The need for this came to light with the acquisition of Yahoo! by Verizon2. In that case public disclosure of breaches during the merger talks resulted in Verizon lowering their offer by $350 million. However, post-acquisition data came to light showing that the breaches were far larger than initially estimated.
In addition, not truly knowing the health and security of an organization’s IT infrastructure can mean unforeseen barriers to the organizations combining effectively or the need to reallocate valuable resources away from accomplishing business priorities.
The bottom line is that lack of due diligence can be very expensive and could even bring down a firm. Asking the right questions during the due diligence process can help you identify potential problems and avoid liabilities. This approach and many of the questions can also be used post-acquisition during periodic internal business security reviews.
Excellent IT security is built on a good foundation. The cornerstones of this foundation consist of people, policies, process and technology. Comprehensive due diligence will cover all four areas:
- People – ensuring the right people with the right training are in the right positions
- Policies – confirming the policies in place align IT security with the business and its goals
- Process – checking that corporate procedures streamline operations with predictable outcomes and enforce the policies
- Technology – confirming the organization is using technology correctly and has the right tools in place
People are the most critical cornerstone. How well the staff has been trained and motivated, how aware of current trends they are, and how collaborative they are can be key indicators to the overall health and stability of the IT infrastructure, and of the organization. Areas to assess include:
- Knowledge and Trends. Are the staff appropriately trained and motivated? Is the staff aware of new security trends and technologies, and do they have plans to adopt it?
- Impact of Technology on Business. Does the staff understand how recent trends affect their business? In particular, do they know where a new trend is not applicable, as well as where it is a valuable addition?
- Transparency and Collaboration. Does the security staff work well with the rest of the organization, or are they secretive and combative? Do the security and risk teams work together? The security staff of superior organizations will have a collaborative attitude that enlists the whole IT organization’s aid. Cliques, combative staffs and lack of cooperation are indications of both leadership issues and wider organizational problems.
- Organizational Readiness. Is the entire organization’s staff trained to be aware of security attacks? Can they recognize and avoid spear phishing attempts and links to malware? The entire staff must be educated to avoid common social engineering attacks in order to provide an effective barrier to malware.
Having a thorough understanding of the talent and skill level of the current team, their ability to plan and execute, and the health of their relationships within the organization will help you gauge the health of the organization and whether the IT team can sustain the pressures of an acquisition and support the business priorities post-acquisition.
Network security policies must align with the business. For example, regulatory compliance will differ significantly for a manufacturing business than for a legal firm or a healthcare provider. Confirming the right policies are in place and that they align IT security with the business and its goals is critical during due diligence. Not having the right policies in place can be an indication of a lack of skill or understanding, as well as an opening for a security risk. Things to explore include:
- Work from Home Implications. The migration to home-based workers and SaaS/IaaS applications has changed where applications are deployed and consumed. Have the security policies been updated to account for this change? Security designs must adapt to changes in the application delivery model.
- Backup and Disaster Plans. Examining backup policies and disaster response/recovery plans can provide valuable perspectives on whether an organization’s policies align with its business. You should understand what kind of data is critical to the company and what mechanisms protect it from data theft and ransomware. You should verify that business recovery plans are written and tested in simulated disasters of various types.
- Regulatory Compliance. Policies must also address regulatory compliance requirements and laws across industry, international, federal, and state entities. Is the IT team up to date with recent changes, such as the US Treasury Office of Foreign Access Control advisory3 that may make ransomware payments illegal?
Understanding how well your possible acquisition has defined policies and formally prepared for disasters is an important indicator of the stability of the organization and its true value.
Processes allow the organization to respond to events with predictable results in a timely fashion. These processes also are the mechanism to enforce policies. Good policies become less valuable if processes aren’t present to administer these policies. Processes to assess during due diligence include:
- Incident Response. Does the organization have an incident response plan? Ensure that it is well documented, approved by a trusted security analysis firm, and thoroughly tested. It should handle the full spectrum of events, all the way up to an all-out ransomware attack that compromises the business.
- Documentation and Analysis. Are security events recorded and archived for later analysis, should that be necessary? Can data theft be documented with the controls and records in place?
- Specialist Support. Is there a trusted network security partner in place who helps the organization maintain a suitable network security system and help it through a crisis? Having a partner who already understands the organization’s network security systems will enable a prompt response to any events and is an indication of an organization’s commitment to security.
During due diligence, you’ll want to ascertain if there are holes in an organization’s network security systems that create unforeseen liabilities. The network security technology space is quite large and complex and it can be challenging to verify that an organization’s network security tools cover all the required functions. Fortunately, the Cyber Defense Matrix4 aids in verifying full coverage. The objective is to make sure the organization has tools that detect and thwart attacks before they hurt the business, and that the tools are being used effectively. Areas of focus include:
- Theft & Ransomware Prevention. Is the organization’s data protected from theft and ransomware and is the protection appropriate for how the business functions? Have the anti-theft mechanisms been tested? Just because ransomware hasn’t affected vital databases doesn’t mean that it isn’t possible.
- Data Backup. In addition to having prevention systems in place, verify that a well-designed, tested, data backup system is in place. A trusted network security advisor may be needed to evaluate the data protection systems.
- Security Monitoring. It’s important to evaluate the network security monitoring, testing, and training systems. This includes external monitoring that examines the organization’s presence on the internet to detect common vulnerabilities. Training should be in place to help all employees recognize and avoid attempts to compromise the organization from within. The ultimate question is whether a penetration test has verified the organization’s ability to protect against, detect, and respond to attacks.
Having the right technology in place is important to ensure the asset you’re buying is worth as much as you think it is.
Know What You’re Buying
In today’s world, companies are only as stable as their IT infrastructure and as strong as their security. Without a clear understanding of the current state of the target company’s IT systems, you run the risk of overpaying, not being able to combine organizations effectively, or being delayed on business objectives while IT is shored up.
1 – An older summary of Due Diligence Disasters.
2 – A NY Times article on the Verizon Purchase of Yahoo! indicating disclosures after the acquisition.
3 – OFAC’s new Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments.
4 – The Cyber Defense Matrix concept is described in more detail.