On the hunt for merger or acquisition? Make sure your target is secure

Given numerous examples of catastrophic security risks from third-party relationships, the merger and acquisition industry needs to get caught up

Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.

In many cases, it is more than an exhortation – it’s a mandate. Last year’s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.

But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).

In a survey of, “214 global deal-makers from corporates, financial institutions, investors and legal services providers,” the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents – 78 percent – “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”

That could be costly – very costly.

If a company’s value is largely based on its intellectual property or other proprietary information like customer data, and that information has been compromised through a breach, it could be in the hands of competitors, and therefore lose much of its value.

Also, if either company involved in a merger or acquisition has been breached, it is much easier for attackers to penetrate both companies, which could have catastrophic effects on the value of both.

And based on the activity in the sector, M&As offer a large attack surface for enterprising cyber criminals. A recent blog post by the security company FireEye noted that, “in the U.S., just during April and May there were almost 2,000 M&A events, while in Asia Pacific, M&A activity reached a record $367.7 billion during the first six months of 2015.”

All of which raises the obvious question: Why isn’t M&A due diligence focusing on the cyber security posture or history of companies just as much as their financials or market share, since both could be affected by a breach?

According to those in the field, the problem is being addressed, although substantial weaknesses remain, and it will likely take time for the smaller players to catch up.

“I think it is now on people’s radar, whereas before it may have been an afterthought,” said Scott Koller, counsel at the law firm BakerHostetler. “The problem is that it is not taken as seriously at it should be, or there is an under-appreciation of the risk.”

He said it is easy to adopt the so-called “check-box” mentality when evaluating the security posture of a company, as in: “Do you have a firewall? (check). Do you have anti-virus (check)?

“But security requires understanding the type and volume of data stored by the organization, the regulatory and legal landscape, and the potential threats to the organization,” he said.

Sean Curran, a director of West Monroe Partners’ security and infrastructure consulting practice, agreed, noting that part of the problem is that for many companies, evaluating cyber risk is, “still a strange enough topic that some of them are asking how to find the right person to do it.”

sean curran

Sean Curran, director, West Monroe Partners’ security and infrastructure consulting practice

He said the purpose of due diligence in cyber risk is not to know whether a company can be hacked. Indeed, the mantra in the security industry these days is that there are two kinds of companies: Those that know they have been hacked, and those who have been hacked but don’t know it.

“The key is to know what you’re buying – what’s the ‘secret sauce’ that makes a company unique,” he said. “Is it financial, reputational, legal, and what is the value of that? And what might a breach cost?”

According to Michael Del Giudice, senior manager at Crowe Horwath, it is well worth investigating whether a target company has been breached and remains unaware of it. He cited a Ponemon Institute study that found it took retail companies an average of 197 days – more than six months – to detect a breach.

michael delgiudice

Michael Del Giudice, senior manager at Crowe Horwath

“If a potential acquirer relies on a questionnaire, it’s possible the target may not be aware of a breach that could significantly impact valuation of the firm,” he said.

That is also the message from Ron Arden, vice president and CMO at Fasoo. “An acquirer needs to understand the assets and liabilities it is acquiring, and look at lack of adequate security as a business risk, just as leases, debt and potential litigation are liabilities,” he said.

That level of scrutiny is “very well established” at larger private equity firms like Blackstone, the Carlyle Group and TPG, with assets under management (AUM) in the $75 billion to $200 billion range, according to Eric Feldman, CIO of The Riverside Company.

“But there’s a huge gamut of sophistication among firms,” he said, “which means that for many smaller firms, the cyber side can be a weak point.”

ron arden

Ron Arden, vice president and CMO, Fasoo

However, that is improving even at smaller firms, he said, due to pressure from both the public and private sectors.

On the public side, the federal Securities and Exchange Commission (SEC) has regulatory authority over U.S.-based private equity firms with more than $150 million of AUM. “That covers most of them,” he said.

Over the past couple of years, the agency’s Office of Compliance Inspections and Examinations has issued several "Risk Alerts" dedicated to improving cyber security.

Those alerts come with some teeth, too. Feldman noted that the SEC has begun fining firms for inadequate security.

Indeed, the SEC reached a settlement just last month with R.T. Jones Capital Equities Management that included a censure and a $75,000 fine for failing to prevent a hack that compromised the personal information of 100,000 customers.

And from the private side, limited partners like major pension funds, which are big investors in private equity, “want to know what controls the management companies have in place to make sure that the firm has established broader cyber awareness programs that protect critical data,” Feldman said.

Koller agrees that scrutiny and regulation of security are important and necessary, but he added a caveat that the cyber risks of a company do not have to be a deal breaker. “It’s easier to fix a company with solid financials but poor security than it is to revive a company with great security but weak financials,” he said.

Beyond that, companies with histories that includes data breaches – even a major one –may still be worthwhile targets for M&As. “An organization that has encountered one or more breaches in the past is better prepared to handle them in the future,” Koller said.

Curran agreed. “Very few companies that have been in the headlines (for breaches) have lost market share,” he said. “There is a growing perception that an organization that has been attacked becomes a better organization. The perception is that I want to do business with them.”

While many small companies may lack the in-house expertise to perform adequate due diligence regarding security risks during an M&A, Curran and others said it should not be that difficult to find outside experts. He said his firm is one of a number that offer security consulting.

He said most companies that try to do a self assessment, “will get it wrong. Just knowing you have a firewall isn’t enough. And even for those that use a QSA (qualified security assessor), it may not be enough. Unfortunately, not all QSAs are created equal – some firms are more stringent than others.

“I have found in many cases that even organizations engaged with a QSA are not compliant because they drove the scope and the QSA did not push back,” he said.

Del Giudice added that while some target companies might have cyber risks that are low enough to warrant an evaluation that simply relies on a questionnaire, that is not enough for those at higher risk.

“Companies performing due diligence should consider performing an in-depth onsite analysis that doesn’t just identify previous incidents, but understands how the organization identifies and responds to incidents, assesses systems for unidentified breaches, and evaluates the organization’s capabilities to mitigate cybersecurity risks,” he said.

Join the CSO newsletter!

Error: Please check your email address.

More about Carlyle GroupCMOCrowe HorwathCSOFireEyeHorwathInsightNewsSECSecurities and Exchange CommissionWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place