In 2016, Marriott International purchased the Starwood hotel chain in a deal worth $13.6 billion. In November 2018, Marriott notified the public and regulators that in 2014, a breach to Starwood’s network had exposed at least 500 million customer records to cyber criminals. The announcement resulted in Marriott’s stock plunging 5.6 percent. The company faces the potential of massive fines and significant damage to its brand and reputation.

When companies conduct mergers and acquisitions, the monster lurking beneath the bed is the threat of undiscovered or undisclosed security breaches. Those discoveries can wreak havoc on the acquiring company after the deal, and on the target company if a breach is discovered before the deal’s closing. Yahoo’s past data breaches were discovered during Verizon’s bid to acquire the internet giant for $4.8 billion in 2016. Verizon cut roughly $350 million from the offer as a result. Yahoo’s parent company had to cough up another $50 million in damages to settle the accompanying consumer lawsuit.

The due diligence process for M&A deals is broad and deep, encompassing finances, leadership, IP, customer base, strategy, assets and partner/vendor contracts. One element of M&A due diligence that is critical to address during this important vetting period is cybersecurity.

Conducting a thorough investigation of the target company’s security posture through cyber diligence not only helps buyers gain a full picture of risks, it affords the target the opportunity to mitigate any vulnerabilities before acquisition to ensure maximization of its shareholder value, as well as a seamless transition period postclosing.

Jennifer DeTrani, general counsel at cybersecurity startup Nisos. Courtesy photo. Jennifer DeTrani, general counsel at cybersecurity startup Nisos. Courtesy photo.

A proper review will validate that security infrastructure and processes are sufficiently deployed and running properly as disclosed. It is equally important to fully identify and inventory all IT assets. Critically, by various estimates, between 20 percent to 50 percent of data and applications on corporate networks are unknown or unmanaged by IT and pose accompanying risks that should be reviewed and accepted or mitigated through proper controls. When conducting cyber diligence, estimate 30-45 days to complete the research.

And so, the following are a series of questions companies should strive to answer during their cyber diligence process:

1. Is there evidence of existing or prior compromise?

Endpoint monitoring tools are fundamental in this sometimes difficult exercise. These tools observe processes on hosts and look for suspicious or unusual user behavior with applications and files. For instance, you can see if an application’s configuration has been changed, whether users are attempting to access systems to which they don’t have access or if any users are transferring large files to external drives.

Network-monitoring tools indicate if someone is pulling data off the network from a remote location, by capturing all packets of communications at internet gateways. The analysis shows whether those packets are going to safe or unsafe IPs, such as anomalous or non-U.S. jurisdictions, which could implicate nation-state hackers or other nefarious actors. These tools can inspect historical logs for similar analysis, which may indicate a past breach depending on the company’s data retention policy. Hackers may also install tools that hide their tracks by deleting incriminating log files or disabling monitoring alerts. Forensics experts must be used in these efforts to fully assess whether the company has been compromised historically or faces any imminent threats.

2. Are adequate security measures in place?

Endpoint monitoring tools are again useful here: they can survey technologies and processes on the network such as anti-malware software. Are existing tools running well and properly configured? Are endpoints protected as the company has described in disclosures?

The analysis spans configurations, network traffic patterns, and protocol best practices. For example, remote desktop protocol (RDP) is a tool which bad actors routinely use to access victim networks. On detection of RDP, experts can recommend remedial measures that the target company can take to remove the tools and tighten up controls.  

3. What’s the state of network hygiene?

The purpose of this inspection is to evaluate if the network is clean and well-organized and identify any inconsistent deployments or configurations. Having many different device and operating system (OS) versions on the network introduces security risks and management complexity. This gives threat actors more opportunities to exploit underprotected areas to penetrate the network. Forensic experts will similarly determine whether shadow IT assets exist within the network that are not under proper controls. The reason for this analysis is simple: gold-standard network environments are stable and homogeneous. They are characterized by standard, updated OS versions across the board, standard connections, configurations and protections.

At the end of the cyber diligence process, companies should receive a clear set of conclusions and recommendations for what to implement and modify to include technology, processes and needed skills. It also gives both parties in the M&A transaction a specific road map to converge the two networks in a way that minimizes risk.

There may be recommendations which are not critical and which both parties may have to negotiate, such as the desire to segment the two companies’ networks. Proper cyber diligence adds cost and time to the overall M&A diligence process, but it is an essential investment to avoid the massive financial fallout of a postmerger discovery of historic or ongoing breach.

4. Are you integrating existing corporate security to the new enterprise?

While a company may go through great lengths in time, resources and funding to build and maintain a modern security stack, the integration of the new entity must be merged into the fold as soon as possible. This task can, even under ideal scenarios, take substantial effort and time. The goal would be to fully integrate the new entity into the fold of the existing enterprise. Until this happens, the enterprises will be out of sync, and the security apparatus, which would include IT security, may be lacking capabilities they rely on for their continued assessment and workflow, effectively creating a “blind spot.” As soon as possible, the following types of information should be made available as part of the merger process;

  • Email
  • Chat/corporate messaging
  • Existing security monitoring appliances
  • Installation of existing host-based monitoring already in use by acquiring entity

The integration into the new enterprise may take a prolonged period of time. The sooner the above information becomes available to the acquiring entity, the sooner the blind spot is closed.

5. Are you monitoring insider threat issues?

Mergers and acquisitions present unique challenges to staffing as well as information technology. While employees may have been highly loyal during their tenure working for a smaller company, the prospect of working for a larger one moving forward may cause tension and unease. Any significant changes to position, title, responsibilities, or compensation can trigger dissent. Companies should ensure communication is consistent and timely during transition periods, as uncertainty or unease can develop into employees leaving with organization IP, as well as other proprietary information.

It would be strongly suggested to review existing confidentiality agreements as part of the merger or acquisition to understand how to enforce consequences if necessary. It would be too late once employees start leaving to learn the company that was just acquired has limited to no recourse against employees.

This would be a significant issue if discovered during the acquisition process, as the gaining company stands to lose substantial parts of what it is attempting to acquire. Aside from financial motivations, employees who feel they are slighted during the process could take out frustrations on the organization on the way out the door. Sabotage of employer networks or property is becoming more and more prevalent.

The financial and organizational realities of two organizations merging or a smaller company being acquired by a larger one are profound. It’s critical to understand how to value, assess, protect and properly transition assets. Conducting thorough and reasoned cyber due diligence is an often overlooked but critical step in the cadence of M&A groundwork to a successful transaction.  

About the author: Jennifer DeTrani is general counsel of Nisos, a cybersecurity services and investigation company and special adviser and co-founder of Wickr, a secure communications company. She focuses her practice on cybersecurity, privacy, technology and policy issues.