Cyber Due Diligence Is Table Stakes for Effective M&A
Don't let a dangerous stranger beat you at your own game when your company acquires or merges with another. Always conduct cyber diligence to mitigate risk before the deal is done.
March 04, 2019 at 01:00 AM
8 minute read
The original version of this story was published on Corporate Counsel
In 2016, Marriott International purchased the Starwood hotel chain in a deal worth $13.6 billion. In November 2018, Marriott notified the public and regulators that in 2014, a breach to Starwood's network had exposed at least 500 million customer records to cyber criminals. The announcement resulted in Marriott's stock plunging 5.6 percent. The company faces the potential of massive fines and significant damage to its brand and reputation.
When companies conduct mergers and acquisitions, the monster lurking beneath the bed is the threat of undiscovered or undisclosed security breaches. Those discoveries can wreak havoc on the acquiring company after the deal, and on the target company if a breach is discovered before the deal's closing. Yahoo's past data breaches were discovered during Verizon's bid to acquire the internet giant for $4.8 billion in 2016. Verizon cut roughly $350 million from the offer as a result. Yahoo's parent company had to cough up another $50 million in damages to settle the accompanying consumer lawsuit.
The due diligence process for M&A deals is broad and deep, encompassing finances, leadership, IP, customer base, strategy, assets and partner/vendor contracts. One element of M&A due diligence that is critical to address during this important vetting period is cybersecurity.
Conducting a thorough investigation of the target company's security posture through cyber diligence not only helps buyers gain a full picture of risks, it affords the target the opportunity to mitigate any vulnerabilities before acquisition to ensure maximization of its shareholder value, as well as a seamless transition period postclosing.
A proper review will validate that security infrastructure and processes are sufficiently deployed and running properly as disclosed. It is equally important to fully identify and inventory all IT assets. Critically, by various estimates, between 20 percent to 50 percent of data and applications on corporate networks are unknown or unmanaged by IT and pose accompanying risks that should be reviewed and accepted or mitigated through proper controls. When conducting cyber diligence, estimate 30-45 days to complete the research.
And so, the following are a series of questions companies should strive to answer during their cyber diligence process:
1. Is there evidence of existing or prior compromise?
Endpoint monitoring tools are fundamental in this sometimes difficult exercise. These tools observe processes on hosts and look for suspicious or unusual user behavior with applications and files. For instance, you can see if an application's configuration has been changed, whether users are attempting to access systems to which they don't have access or if any users are transferring large files to external drives.
Network-monitoring tools indicate if someone is pulling data off the network from a remote location, by capturing all packets of communications at internet gateways. The analysis shows whether those packets are going to safe or unsafe IPs, such as anomalous or non-U.S. jurisdictions, which could implicate nation-state hackers or other nefarious actors. These tools can inspect historical logs for similar analysis, which may indicate a past breach depending on the company's data retention policy. Hackers may also install tools that hide their tracks by deleting incriminating log files or disabling monitoring alerts. Forensics experts must be used in these efforts to fully assess whether the company has been compromised historically or faces any imminent threats.
2. Are adequate security measures in place?
Endpoint monitoring tools are again useful here: they can survey technologies and processes on the network such as anti-malware software. Are existing tools running well and properly configured? Are endpoints protected as the company has described in disclosures?
The analysis spans configurations, network traffic patterns, and protocol best practices. For example, remote desktop protocol (RDP) is a tool which bad actors routinely use to access victim networks. On detection of RDP, experts can recommend remedial measures that the target company can take to remove the tools and tighten up controls.
3. What's the state of network hygiene?
The purpose of this inspection is to evaluate if the network is clean and well-organized and identify any inconsistent deployments or configurations. Having many different device and operating system (OS) versions on the network introduces security risks and management complexity. This gives threat actors more opportunities to exploit underprotected areas to penetrate the network. Forensic experts will similarly determine whether shadow IT assets exist within the network that are not under proper controls. The reason for this analysis is simple: gold-standard network environments are stable and homogeneous. They are characterized by standard, updated OS versions across the board, standard connections, configurations and protections.
At the end of the cyber diligence process, companies should receive a clear set of conclusions and recommendations for what to implement and modify to include technology, processes and needed skills. It also gives both parties in the M&A transaction a specific road map to converge the two networks in a way that minimizes risk.
There may be recommendations which are not critical and which both parties may have to negotiate, such as the desire to segment the two companies' networks. Proper cyber diligence adds cost and time to the overall M&A diligence process, but it is an essential investment to avoid the massive financial fallout of a postmerger discovery of historic or ongoing breach.
4. Are you integrating existing corporate security to the new enterprise?
While a company may go through great lengths in time, resources and funding to build and maintain a modern security stack, the integration of the new entity must be merged into the fold as soon as possible. This task can, even under ideal scenarios, take substantial effort and time. The goal would be to fully integrate the new entity into the fold of the existing enterprise. Until this happens, the enterprises will be out of sync, and the security apparatus, which would include IT security, may be lacking capabilities they rely on for their continued assessment and workflow, effectively creating a “blind spot.” As soon as possible, the following types of information should be made available as part of the merger process;
- Chat/corporate messaging
- Existing security monitoring appliances
- Installation of existing host-based monitoring already in use by acquiring entity
The integration into the new enterprise may take a prolonged period of time. The sooner the above information becomes available to the acquiring entity, the sooner the blind spot is closed.
5. Are you monitoring insider threat issues?
Mergers and acquisitions present unique challenges to staffing as well as information technology. While employees may have been highly loyal during their tenure working for a smaller company, the prospect of working for a larger one moving forward may cause tension and unease. Any significant changes to position, title, responsibilities, or compensation can trigger dissent. Companies should ensure communication is consistent and timely during transition periods, as uncertainty or unease can develop into employees leaving with organization IP, as well as other proprietary information.
It would be strongly suggested to review existing confidentiality agreements as part of the merger or acquisition to understand how to enforce consequences if necessary. It would be too late once employees start leaving to learn the company that was just acquired has limited to no recourse against employees.
This would be a significant issue if discovered during the acquisition process, as the gaining company stands to lose substantial parts of what it is attempting to acquire. Aside from financial motivations, employees who feel they are slighted during the process could take out frustrations on the organization on the way out the door. Sabotage of employer networks or property is becoming more and more prevalent.
The financial and organizational realities of two organizations merging or a smaller company being acquired by a larger one are profound. It's critical to understand how to value, assess, protect and properly transition assets. Conducting thorough and reasoned cyber due diligence is an often overlooked but critical step in the cadence of M&A groundwork to a successful transaction.
Jennifer DeTrani is general counsel of Nisos, a cybersecurity services and investigation company and special adviser and co-founder of Wickr, a secure communications company. She focuses her practice on cybersecurity, privacy, technology and policy issues.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250