Six Considerations for Acquisition Cybersecurity Success

Recapping the Challenges of M&A Cybersecurity

M&A cybersecurity is one of the most important factors in the success of an acquisition. In a 2019 study conducted by Forescout Technologies, respondents cited the history of cybersecurity incidents as the second most important factor in their due diligence processes, surpassed only by the target’s financial statements. Additionally, the target’s cyber risk scores ranked highly along with standard factors like customer satisfaction, competitive positioning, and so on.

We also discovered that two-thirds of acquisition cybersecurity due diligence processes typically occur later in the M&A lifecycle, with 61% running this critical phase toward the end of the pre-deal phase (e.g., target screening) and as late as post-integration. The data revealed that companies may be considering acquisition cybersecurity due diligence as a point-in-time process rather than an ongoing effort that should start as early as possible and continue through the integration and post-integration phases.

Even if the initial assessment conducted early in the acquisition cybersecurity process doesn’t produce any findings, the target is going to continue moving forward. At any point, the target’s assets and devices could become vulnerable. Unless an ongoing effort is made to evaluate cyber risks at each stage, it will become increasingly difficult to monitor those risks.

So what comprises a strong acquisition cybersecurity approach? What should acquirers do and watch for as they assess their target’s cybersecurity posture, evaluate their assets, and determine the number of devices connected to their network? Below, we explore six specific steps that acquirers should consider as they move forward with their due diligence process.

Six Considerations for a Strong Cybersecurity

1. Evaluate the Target’s Digital Asset Inventory

Target companies will have a variety of digital assets that they use throughout their organization. These include the infrastructure of their network, their IoT devices and strategy, their operational technology (OT), cloud infrastructure, and their traditional IT assets. It’s important to take inventory and assess the risk of as many assets as possible. Begin with the high-value assets — those that are critical to its network and its operations. Evaluate the relative importance of these assets to the target company’s business.

Are they secure? What incidents have they been connected to? What would happen if these higher-priority assets were compromised? How would a breach impact the company’s ability to operate? How might the acquirer be impacted?

2. Evaluate the Target’s Cybersecurity Program

It’s important to remember that even if your organization already has a strong cybersecurity program, that doesn’t necessarily protect it from any pre-existing or potential vulnerabilities within the target’s cybersecurity framework. You are, after all, acquiring them. While there will be some time in the integration phases of combining or transitioning systems, it’s these types of workflows that cybercriminals target because there are a number of risks involved.

First, there’s a greater risk for human error. People might get confused, skip a step, or make a simple mistake that opens the door to a breach. Second, there may be incompatibilities or misalignments between systems, tooling, etc. where certain safety needs aren’t covered. It’s important to evaluate their existing cybersecurity program to protect the high-value assets identified in the first step. Some hard decisions may need to be made, too, such as whether those assets are appropriate or truly needed for the business. It should also be determined whether those assets are complete (i.e., fully secured, implemented, etc.).

3. Evaluate the Target’s Third-Party Risk Strategy

Vendors are critical to every business. From hardware and software providers to key service providers for facilities, marketing, and more, we all need and rely on third-party vendors to get our work done. But for acquirers, third-party vendors add an extra layer of complexity and risk to a potential acquisition. That’s why your acquisition cybersecurity strategy must carefully consider the who, what, when, where, why, and how of every single technology vendor relationship that your target has engaged.

Your focus should be broad: what is the target’s cyber risk management strategy for their third-party relationships? More specifically, how does the target depend on those vendors for goods, services, data, outsourced business functions, and joint business initiatives? While your due diligence process may reveal that the target’s technology platforms and systems aren’t at risk, those outside vendors are still managing data about the target. If their systems aren’t secure, important data about the target may become compromised.

4. Evaluate the Target’s Past

There are two components to this. First, you must evaluate the target’s prior breaches if they occurred. What caused them? What data or systems were compromised? What was the result of that breach? Was the company subject to fines? How did they communicate the breach internally? How was it communicated with their customers and partners? It’s important to understand the full magnitude of any prior breaches — even those that may have occurred several years ago or more.

The second component is assessing the target’s incident response (IR) capabilities. IR is a critical function that every company should have in place. It requires extensive testing via in-depth tabletops as well as the development of policies and procedures that should be communicated throughout the organization, particularly with leadership, counsel, and department leaders. This ensures that the company responds properly to an incident to minimize damage and contain the threat as quickly as possible.

5. Evaluate the Target’s Regulatory Compliance

Depending on your industry and that of the target, both organizations are required to stay in compliance with cybersecurity regulations. As the acquirer, it will be important to understand what those regulations are, what the requirements for remaining in compliance are, and what the target has done to meet them on a long-term basis.

Another consideration here is fully understanding what happens if the target fails to remain in compliance. As the acquirer, what does that mean for you? What risks and liabilities do you assume in being the new owner of the target? What changes have to be made internally within your organization to ensure you’re in compliance with these regulations — if you weren’t already required to be in compliance with them?

6. Evaluate the Target’s Resilience

This final recommendation in our acquisition cybersecurity considerations list is a bit more subjective, but it’s important nonetheless. If the target were to experience a cybersecurity incident, how well would they be able to stand up to it? This applies to numerous areas within the organization, such as financial (their ability to make changes, pay fines, obtain security solutions, etc.), operational (do they have the ability to maintain regular business if something happens?), communication (would they be able to navigate the complexities of public communication and internal communication regarding a breach?), and so on.

Be Informed and Be Prepared

If your organization is considering an acquisition of one or more companies this year, get the support you need to ensure you’ve comprehensively analyzed the cybersecurity of your targets. This is far too important to leave to chance or to leave with just a single internal team that may already be swamped with other work. The chief information security officers at Inversion6 Technologies and our talented team of security analysts are here to help. Fill out the form below to get in touch with our team today.