Considering a company’s cybersecurity posture should be part
of M&A due diligence, but often it isn’t. Doug Olenick explains
why that must change.
Most home buyers wouldn’t think of paying top dollar for a house, no matter how beautifully designed without considering whether it sits in a crime-ridden neighborhood. Yet, venture capitalists and corporate boards, with all their talk of reducing risk and conducting due-diligence, and spending far bigger bucks than the average homeowner, often fail to factor in cybersecurity when vetting a potential acquisition.
To understand the magnitude of that folly, look no further than Verizon and Marriott. After buying Starwood Hotels, the hotel chain discovered cybercriminals camping out in the company’s reservation system, leading to the compromise of 500 million customer records. Verizon found out about Yahoo’s poor cybersecurity posture in the middle of the merger and acquisition process when the email platform disclosed not one but two data breaches that had taken place years before and are among the largest on record. Verizon ended up lopping $350 million off the Yahoo price tag. Note that neither Marriott nor Verizon uncovered the cybersecurity failings of the acquisition target during due diligence. Both were blindsided by their acquisitions’ cyber shortcomings. That must change.
“Mergers and acquisitions are an exercise in valuation – determining the assets, liabilities, and future cash flows,” says Ken Liao, vice president of cybersecurity strategy at Abnormal Security. “Understanding the cybersecurity state of the target organization is essential to understanding potential liabilities and, ultimately, its potential impact to cash flows.”
Half-hearted or shoddy due diligence can lead to both major embarrassment and financial loss. That’s a tried and true tenet of business. And while a targeted acquisition or a company seeking investment might not welcome a regiment of accountants, its management team and board would certainly expect them to take a look at the books.
Not so with cybersecurity. Even after the hard lessons of Marriott and Verizon, some venture capital firms still ignore cybersecurity – and the risk it might bring. Colin Bastable, CEO of Lucy Security, says neither he nor his colleagues in the business have ever been asked about his firm’s cybersecurity status by a VC; most likely because he is already in the IT Security space and the VCs likely take it for granted that the company is locked down.
“However, buying a non-IT security business, for example, would focus on IT-based security [topics] if they were at all interested,” says Bastable. “They would talk to the CISO/CIO/CTO, and get a tech answer focused on the three percent of the risk [that they handle]. As we know, 97 percent of successful attacks involve social engineering.”
The oversight, Bastable notes, largely comes from venture capitalists’ laser focus on their desired end results.
“PE firms would be planning to fire the C Suite and half of the staff anyway, and VCs/PE firms are interested in business models, outcomes, dilution, options and exits, not cybersecurity,” he says.
However, Liao says that doesn’t happen when the companies involved understand the risks.
“Having recently gone through an acquisition as the CEO of RiskRecon, I can tell you that companies and their attorneys are taking cybersecurity very seriously,” he says.
In RiskRecon’s case, the acquisition team included cybersecurity experts “who analyzed the company’s information security processes, source code and the status of all system, infrastructure and application vulnerabilities our security processes reported during the last 24 months,” he says. “Then they made certain that all issues of any significance were addressed prior to closing.”
Those interested in ensuring a future investment will not end up costing them money after a deal closes should follow cybersecurity due diligence standards that in some ways mirror those on the financial side of the transaction.
Basic financial due diligence generally covers confirming and verifying information that was brought up during the deal or investment process, identifying potential defects in the deal or investment opportunity and will thus avoid a bad business transaction, obtaining information that would be useful in valuing the deal and making sure that the deal or investment opportunity complies with the investment or deal criteria.
On the cyber side, acquisition teams must look at the target’s cybersecurity program overall, conduct a third-party risk management assessment, investigate security controls for protection and detection, check security privacy controls in products and services and make certain the company’s data privacy program is up to snuff, according to PwC.
With even basic lists to follow, questions remain about how much due diligence is enough, how much is not enough and how much is overkill. Luckily, tools have emerged to help out.
“In regards to Verizon and Yahoo and Marriott and Starwood, I would doubt that there was *no* cybersecurity due diligence. Rather, there may not have been enough,” says Sounil Yu, CISO-in-Residence at YL Ventures, which funds and supports cybersecurity ventures. As for what constitutes “enough,” Yu says, “I worked with the World Economic Forum last year to develop a Cybersecurity Due Diligence Framework. It’s a start to defining what may be enough.”
The one overriding factor that surfaces time and again, ironically, is time. Buyers and sellers normally set a finite time for conducting due diligence – and requesting additional time can have a direct impact on whether the deal goes through or even if the best deal is struck.
Yu uses an example of a home sale on how a time limit impacts both sides of a deal.
“Let’s suppose you’re selling your house. You have two offers. Buyer A is asking for $500,000 with no contingencies and no inspections, with a deadline of seven days,” he explains. “Buyer B is asking for $550,000 with contingencies on a home inspection, which will take longer than 7 days.”
Taking either offer has benefits and risks for both sides. Deal A is a sure thing for each side, but the buyer is taking on unknown risks and the seller is leaving money on the table. If the seller opts for more money and agrees to the seven day or more due diligence period the first deal is gone, but at the same time the buyer now must complete its investigation in a timely fashion possibly missing something.
There are also some standard steps included in most agreements, basically insurance, that give the buyer some recourse in case that the company just acquired does have some faults that were not picked up during the dur diligence period.
Ralph A. Rodriguez, a member of the board of directors at Strategic Cyber Ventures, a Washington D.C.-based venture capital firm which invests in cybersecurity companies, says such a clause was in place when he sold his firm to Facebook.
“When I sold the company, I co-founded [Confirm.io] to Facebook in 2018 I went through a lot of diligence that took 90+ days across all aspects of the business,” says Rodriguez. “We had the normal disclosures plus ‘reps and warranties’ to cover everything.”
However, the process didn’t end there.
“We were forced to have a holdback on the deal of the following: a 15 percent holdback for 18 months. For me this was standard in an M&A event. The buyer holds back 15 percent of the purchase price for 18 months, in the event there is a claim,” he says, adding, “This holdback was for any lawsuits related to cyber and privacy violations as we were an identity company that had a lot of consumer data.”
If time is of the essence, then what are some of the basic tasks that need to be looked at from a cybersecurity perspective? Steve Durbin, managing director of the Information Security Forum offers a shopping list:
• Hire a specialist
“First, preparing a company’s risk profile is a specialist task – not a do-it-yourself activity. For one thing, in-house IT departments are typically short staffed and have their hands full keeping up with the company’s day-to-day business,” says Durbin. “And second, they typically don’t have the objective, independent perspective you need when you’re making a decision. So, I strongly recommend leaning on outside experts to do that work for you. Typically, it’s the bankers who are brokering the deal or the parties’ law firms who engage the specialists. And, of course, it’s a pass-through of the deal cost.”
• Examine mobility
“Secondly, one area I would make sure to have the specialists focus on involves the whole issue of mobility. Determine the target company’s approach to accessing information from remote locations, whether it’s on the move or from a remote office,” he notes. “The way that it’s done can create an unacceptable level of exposure to a company’s network along with its most sensitive files. Critical information is constantly being shared through cyberspace, and there’s risk whenever it’s in transition. Understanding that risk is essential.”
• Manage third parties
“My third recommendation involves third-parties – particularly those who are involved in data storage and transmission services. How does the acquisition candidate manage third parties?” says Durbin. “What information is being shared with them? And how? Understanding that is critical because third parties often unintentionally create routes to information loss or attack.”
• Safeguard the crown jewels
“Finally, I would want to understand whether the organization has a clear idea of what its risk profile actually looks like and how that profile relates to its mission-critical assets – the ones any buyer would prize most,” he says. “When you buy a company you’re buying intellectual property as well as infrastructure. But before you sign onto the deal, it’s essential to understand how those cyber assets are being protected.”
Once due diligence is completed that does not mean the cyberthreat vanishes. In fact, there is evidence that both malicious actors and the employees from the company being acquired could cause a problem.
PwC notes that if vulnerabilities exist, exposure is heightened in the period between a deal’s announcement and closing, given raised awareness and opportunity. Cybercriminals realize that once both parties agree to a deal and the hand-off begins, a company becomes vulnerable either because the usual security routine is broken or employees become distracted with tasks related to the merger.
Then there are those workers disgruntled by an acquisition. Almost every employee understands when two companies merge newly created corporate overlap can result in layoffs or downsizing. These people might steal information, damage systems, leave systems unprotected, contact a competitor or criminal who might be interested in gaining easy access.
From the May 2020 Issue of SC Media