Security experts regularly exhort organizations to improve their security not just internally but externally as well, in their business relationships with third parties.
In many cases, it is more than an exhortation – it’s a mandate. Last year’s updated standards for the payment card industry (PCI) made a point of addressing third-party risks.
But some evidence suggests an area of third-party relationships where security still lags is mergers and acquisitions (M&A).
In a survey of, “214 global deal-makers from corporates, financial institutions, investors and legal services providers,” the London-based law firm Freshfields Bruckhaus Deringer found that while there is plenty of awareness (74 percent of acquirers and 60 percent of sellers) about the effect that cyber security risks can have on a pending deal, a large majority of respondents – 78 percent – “believe cyber security is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.”
That could be costly – very costly.
If a company’s value is largely based on its intellectual property or other proprietary information like customer data, and that information has been compromised through a breach, it could be in the hands of competitors, and therefore lose much of its value.
Also, if either company involved in a merger or acquisition has been breached, it is much easier for attackers to penetrate both companies, which could have catastrophic effects on the value of both.
And based on the activity in the sector, M&As offer a large attack surface for enterprising cyber criminals. A recent blog post by the security company FireEye noted that, “in the U.S., just during April and May there were almost 2,000 M&A events, while in Asia Pacific, M&A activity reached a record $367.7 billion during the first six months of 2015.”
All of which raises the obvious question: Why isn’t M&A due diligence focusing on the cyber security posture or history of companies just as much as their financials or market share, since both could be affected by a breach?
According to those in the field, the problem is being addressed, although substantial weaknesses remain, and it will likely take time for the smaller players to catch up.
“I think it is now on people’s radar, whereas before it may have been an afterthought,” said Scott Koller, counsel at the law firm BakerHostetler. “The problem is that it is not taken as seriously at it should be, or there is an under-appreciation of the risk.”
He said it is easy to adopt the so-called “check-box” mentality when evaluating the security posture of a company, as in: “Do you have a firewall? (check). Do you have anti-virus (check)?
“But security requires understanding the type and volume of data stored by the organization, the regulatory and legal landscape, and the potential threats to the organization,” he said.
Sean Curran, a director of West Monroe Partners’ security and infrastructure consulting practice, agreed, noting that part of the problem is that for many companies, evaluating cyber risk is, “still a strange enough topic that some of them are asking how to find the right person to do it.”
He said the purpose of due diligence in cyber risk is not to know whether a company can be hacked. Indeed, the mantra in the security industry these days is that there are two kinds of companies: Those that know they have been hacked, and those who have been hacked but don’t know it.
“The key is to know what you’re buying – what’s the ‘secret sauce’ that makes a company unique,” he said. “Is it financial, reputational, legal, and what is the value of that? And what might a breach cost?”
According to Michael Del Giudice, senior manager at Crowe Horwath, it is well worth investigating whether a target company has been breached and remains unaware of it. He cited a Ponemon Institute study that found it took retail companies an average of 197 days – more than six months – to detect a breach.
“If a potential acquirer relies on a questionnaire, it’s possible the target may not be aware of a breach that could significantly impact valuation of the firm,” he said.
That is also the message from Ron Arden, vice president and CMO at Fasoo. “An acquirer needs to understand the assets and liabilities it is acquiring, and look at lack of adequate security as a business risk, just as leases, debt and potential litigation are liabilities,” he said.
That level of scrutiny is “very well established” at larger private equity firms like Blackstone, the Carlyle Group and TPG, with assets under management (AUM) in the $75 billion to $200 billion range, according to Eric Feldman, CIO of The Riverside Company.
“But there’s a huge gamut of sophistication among firms,” he said, “which means that for many smaller firms, the cyber side can be a weak point.”
However, that is improving even at smaller firms, he said, due to pressure from both the public and private sectors.
On the public side, the federal Securities and Exchange Commission (SEC) has regulatory authority over U.S.-based private equity firms with more than $150 million of AUM. “That covers most of them,” he said.
Over the past couple of years, the agency’s Office of Compliance Inspections and Examinations has issued several "Risk Alerts" dedicated to improving cyber security.
Those alerts come with some teeth, too. Feldman noted that the SEC has begun fining firms for inadequate security.
Indeed, the SEC reached a settlement just last month with R.T. Jones Capital Equities Management that included a censure and a $75,000 fine for failing to prevent a hack that compromised the personal information of 100,000 customers.
And from the private side, limited partners like major pension funds, which are big investors in private equity, “want to know what controls the management companies have in place to make sure that the firm has established broader cyber awareness programs that protect critical data,” Feldman said.
Koller agrees that scrutiny and regulation of security are important and necessary, but he added a caveat that the cyber risks of a company do not have to be a deal breaker. “It’s easier to fix a company with solid financials but poor security than it is to revive a company with great security but weak financials,” he said.
Beyond that, companies with histories that includes data breaches – even a major one –may still be worthwhile targets for M&As. “An organization that has encountered one or more breaches in the past is better prepared to handle them in the future,” Koller said.
Curran agreed. “Very few companies that have been in the headlines (for breaches) have lost market share,” he said. “There is a growing perception that an organization that has been attacked becomes a better organization. The perception is that I want to do business with them.”
While many small companies may lack the in-house expertise to perform adequate due diligence regarding security risks during an M&A, Curran and others said it should not be that difficult to find outside experts. He said his firm is one of a number that offer security consulting.
He said most companies that try to do a self assessment, “will get it wrong. Just knowing you have a firewall isn’t enough. And even for those that use a QSA (qualified security assessor), it may not be enough. Unfortunately, not all QSAs are created equal – some firms are more stringent than others.
“I have found in many cases that even organizations engaged with a QSA are not compliant because they drove the scope and the QSA did not push back,” he said.
Del Giudice added that while some target companies might have cyber risks that are low enough to warrant an evaluation that simply relies on a questionnaire, that is not enough for those at higher risk.
“Companies performing due diligence should consider performing an in-depth onsite analysis that doesn’t just identify previous incidents, but understands how the organization identifies and responds to incidents, assesses systems for unidentified breaches, and evaluates the organization’s capabilities to mitigate cybersecurity risks,” he said.