The Critical Role of Cybersecurity in M&A: Part 1, Due Diligence

COVID-19 has disrupted virtually every aspect of business, and the mergers and acquisitions (M&A) pipeline is no exception. However, while overall M&A activity had fallen by more than 55% year over year as of June 30, nearly one in four C-level executives (23%) from a recent study by the M&A Leadership Council reported either “no impact in 2020 forecast deal volume” based upon COVID-19 or that they intended to “accelerate deal volume” during the remainder of 2020. Regardless of strategy — pausing or accelerating deals — unprecedented market volatility means that companies must consider ways to reduce the uncertainty and complexity of these transactions. One important consideration that is often overlooked during the M&A process is cybersecurity. This three-part blog series addresses the critical role cybersecurity plays in M&A, starting with the first phase, due diligence. Part 2 covers the pre-close phase and Part 3 covers post-close. In many cases, a company’s valuation is influenced by intellectual property (IP) and data. If adversaries have been inside the network, they could have exfiltrated proprietary information or other assets that could potentially impact the value of the company and the selling price. Further, past incidents can create liabilities that the new parent company will inherit, opening the buyer to a significant risk that may manifest well into the future.

 

These issues underscore how the M&A risk landscape has evolved and why buyers must assess the cybersecurity history of the seller in order to accurately valuate the target, identify and address any known risks and develop a comprehensive strategy to support the safe integration of the target into the host organization.

Modernizing M&A Due Diligence: The Power of a Compromise Assessment

In most transactions, cybersecurity due diligence consists of a basic set of questions asked by the buying organization to the target: Does the organization have a cybersecurity team? A firewall? Antivirus software? The answers to these are objective — a simple yes or no. But for buyers, the responses won’t be of much use in truly gauging the IT health and hygiene of the target company.

 

Most organizations have security tools and systems in place, but that doesn’t mean they’re configured correctly. Further, no solution is foolproof. Answering “yes” in a checklist doesn’t equate to safety. There may also be a certain amount of subjectivity that can go into the answers. For example, when asked if the organization has had “any problems,” the IT team may rely on judgment and recall, considering when past events occurred, how significant the impact to the business was and what the organization learned from it.

 

For these reasons, it’s important to go beyond the traditional question-based risk assessment that many consulting firms offer. To address this potential shortcoming, buyers can consider an in-depth compromise assessment led by a cybersecurity firm. Instead of asking a long list of questions, a compromise assessment looks at the telemetry — meaning all activity across the network — as well as artifacts of past activity. During this assessment, cybersecurity experts analyze past and present activity on each endpoint, take note of any suspicious activity and then assemble a timeline to understand how these events fit together. With that baseline in place, the cybersecurity team will then direct relevant, precise questions to the IT organization. These questions will be specific but also relatively simple, helping the security team continue to form an assessment based on what the data tells us. For example, the cybersecurity partner may ask if the organization uses certain software, such as remote access applications, which were found on the network and beaconing out in a suspicious way.

 

For both buyers and sellers, performing a compromise assessment should be considered the equivalent of a home inspection: a necessary and important step toward a successful deal. Much like a prospective home buyer wouldn’t simply take the property owner at his word about potentially costly or dangerous conditions, neither should a corporate M&A team. A team of experts must assess the situation and look at the story the property is telling based on evidence and data.

 

It’s important to note that during this process, the privacy of the target organization is fully maintained. A capable cybersecurity partner will only look at the target company’s metadata, thus ensuring that any proprietary and confidential information remains completely protected.

Context: The Value of a Consultancy Approach

Another key advantage to engaging a cybersecurity firm during M&A due diligence is the context that cybersecurity experts bring to the situation. These experts will provide a full report of all security issues and help the organization understand which items are material to the deal. This is important because almost every organization has viruses, malware, adware and Trojans on their network. These are often opportunistic attacks — infections that happen when visiting a website or downloading a file. But there are also targeted attacks — ones where the code is written specifically with the organization in mind. This shows intent on the part of the attacker and is a far more serious concern than opportunistic compromises. Cybersecurity experts also bring to the table a deep understanding of who might be behind attacks based on specialized experience. These professionals know what tools certain groups use, their tactics and M.O. They can use this information to determine where an attack is coming from and, ideally, how best to respond.

Due Diligence for All

Threat actors are constantly seeking delivery methods that have a low barrier of entry.

 

One such method for “big game hunters” is through a third-party compromise. When an adversary gets wind of a potential acquisition, there is no better third party to compromise than the organization being acquired. Just being part of an M&A deal — whether the organization is buying, selling, advising or providing a related service — can make for an attractive target to hackers.
During the due diligence phase, the focus is really on finding past compromises across the enterprise and through the partner network. The buyer should be asking: What risk is being assumed? Has the intellectual property that we've been valuing been exfiltrated by an adversary? Breaches can happen anywhere and so the compromise assessment must be comprehensive. To fully and accurately answer those questions and reduce uncertainty throughout the M&A lifecycle, every stakeholder has a role to play:
  • Buyer organizations should make cybersecurity a more prominent part of the decision-making process and involve IT earlier in the due diligence process and more consistently throughout the cycle.
  • IT leaders should advocate for their teams to be involved in M&A activities and formulate a comprehensive security strategy, including a compromise assessment.
  • Third parties, such as law firms, investment banks and insurance companies, should actively influence their clients to bring the right resources to the table.
While a compromise assessment may be an investment both in terms of time and money at the outset, it is well worth the effort. As much as $600 billion is lost annually in stolen IP in the U.S. economy — and that’s to say nothing of losses from business disruption or ransomware. Reducing or eliminating this number through a comprehensive and effective cybersecurity strategy should be a common priority for every buyer, seller and partner.

CrowdStrike Services Compromise Assessment

A CrowdStrike® Services Compromise Assessment, conducted by an investigative team with years of experience responding to complex, advanced attacks and backed by the powerful CrowdStrike Falcon®® platform, can benefit your organization:
  • Minimizes dwell time: Learn if attackers have breached your defenses and are moving unnoticed in your environment.

     

  • Reduces risk: Receive a thorough analysis that reduces the risk of attackers stealing financial assets, customer data or intellectual property.

     

  • Improves your security: Proactively identify ineffective security practices that are putting your organization at greater risk.
Read Part 2 and Part 3 of this series covering the pre-close and post-close phases of the M&A process.

Additional Resources

Breaches Stop Here