The Critical Role of Cybersecurity in M&A: Part 3, Post-Close

In the post-close phase of an M&A transaction, the deal may be done but the job of integration has just begun. From a systems point of view, this means connecting the networks, applications, directories and countless other assets in order to unite hundreds or even thousands of users and establish a single, consolidated view of the network.

 

As noted in our two previous blogs about the importance of cybersecurity during the due diligence and pre-close phases, IT is often an afterthought during these periods. This potential lack of planning during the earlier stages raises important considerations for how the parent organization should proceed with integration during the post-close period.

 

In this blog, the final installment of our three-part series on M&A cybersecurity, we review the necessary steps and recommended activities for organizations to perform during the post-close period to ensure the ongoing health and hygiene of both networks during integration and beyond. Parts 1 and 2 dealt with the pre- and post-close phases:

Steps and Activities in the Post-Close Phase

1: Engage a trusted cybersecurity partner

During the post-close phase, buyers are likely grappling with two competing priorities: the need to maintain network security and the desire to complete the integration quickly.

 

 

On one hand, a slow integration can raise risk, as the parent organization has limited visibility into what is happening on the other network during this period. This means that the acquired company could be the victim of data theft or leaks, which could severely devalue the target and open the parent organization to a variety of risks when integration occurs. At the same time, integration must be planned carefully and thoroughly, which takes time — especially if the M&A team has not begun this process in the pre-close period. For many organizations, the answer may be to delegate cybersecurity efforts to a qualified partner. A cybersecurity firm could apply expert level resources to protect the organization from digital adversaries while the buyer and target companies focus on integration. As part of this engagement, the cybersecurity partner could perform endpoint monitoring, detection and response to ensure the safety of both networks and serve as an on-call resource in the event of a breach. Through this handoff period, cybersecurity is maintained while the IT team focuses on integration itself — thus improving the speed of integration without compromising safety.

 

 

2: Review due diligence and pre-close activity — or play catch-up

 

Companies should enter the integration phase fully confident that the entire network, including all endpoints and servers, has been checked and no vulnerabilities exist. For organizations that have conducted such assessments during the due diligence and pre-close phases, they will need to confirm the findings of those exercises and ensure that no new issues have since arisen. For organizations that have not yet gone through these steps, it is critical that they do so immediately. At a minimum, the organization should conduct an in-depth IT hygiene assessment, which will identify points of concern such as unprotected devices on the network, unpatched systems and other vulnerabilities that could be exploited by a threat actor, as well as help the organization prioritize vulnerabilities and determine an appropriate response. This security assessment is absolutely critical during the post-close period, as integration of the two networks will expose both organizations to the other’s risks and threats, many of which may have gone undetected for months or even years. Recent research from CrowdStrike revealed that adversaries have a “dwell time” of 95 days on average — meaning that attackers are able to lurk on a network, undetected, and plan their attack for an average of over three months. Perhaps even more concerning, we find that these actors are using this time to employ stronger countermeasures, allowing them to remain hidden longer — in some cases, for years — prior to discovery. For companies that completed a risk or IT hygiene assessment with a consulting firm or inexperienced third-party, these hackers could be present and continue to operate unabated well into the future. Adding to the complexity, many M&A events are widely publicized, which often piques the interest of adversaries that use third-party compromises (like through the organization being acquired) to attack “bigger game” (like the organization doing the acquisition). For companies that are choosing to integrate their networks, having a clean bill of IT hygiene also makes the connection process far more efficient. Companies can reduce the complexities of integration because they know that threat actors aren't present. As a result, companies can skip lengthy and complex reimaging processes and minimize disruption to the business and staff.

3: Prepare for the future with an incident response playbook

Breaches are an unfortunate fact of life for every business. Since there is no way to prevent 100% of cyberattacks, it is important to have an effective way of detecting and neutralizing threats rapidly. One way to improve the efficiency of the cybersecurity response team is through an incident response playbook. This asset, created in partnership with a cybersecurity team, serves as a field manual that outlines the steps to be taken when an incident occurs. This playbook anchors all security activity in the event of a breach, essentially dictating how the organization should respond based on the type of attack, its perceived threat and its potential impact. Operating in this way saves the security team valuable time and also ensures that the organization responds to events consistently.

 

 

At CrowdStrike, this exercise also involves planning for breaches within the supply chain. We account for all sorts of technical, legal and political considerations that the company must anticipate if a breach happens with a third party. While these attacks often feature the same types of malicious file used against a client, the context of how it's being used within the supplier network puts an organization in a more vulnerable place since it cannot manage response or remediation efforts.

4: Test and improve the network perimeter through adversary emulation

Once the network is integrated, it’s important for the organization to test for vulnerabilities and the preparedness of the newly merged cybersecurity team to handle a targeted attack. A Red Team/Blue Team exercise, or adversary emulation, is a cybersecurity assessment technique that uses simulated attacks to gauge the strength of the organization’s security capabilities and identify areas for improvement while in a low-risk environment. Modeled after military training exercises, this drill is a face-off between two teams of highly trained cybersecurity professionals: a Red Team that uses real-world cyberattack techniques in an attempt to compromise the environment, and a Blue Team consisting of incident responders who work within the security unit to identify, assess and respond to the intrusion. Red Team/Blue Team simulations play an important role in defending the organization against a wide range of cyberattacks and digital adversaries. These exercises help organizations identify points of vulnerability, determine areas of improvement, build the organization’s first-hand experience about how to detect and neutralize a targeted attack, and develop document response and remediation activities to return the environment to a secure status.

 

Following the exercise, the two teams will have a debrief, during which the Red Team explains gaps and vulnerabilities within the network and both groups identify ways to address them. Ultimately, this test helps raise the level of security so that the organization can prevent a greater number of attacks by having a more secure perimeter.

A Strategic Approach to Post-Close Cybersecurity and Network Integration

The post-close phase of an M&A transaction is all about aftercare. The deal is done, which means that any risks or threats lurking on the target network can spread to the parent. Organizations in this phase must understand that ensuring strong cybersecurity is a priority — one that requires care, thought and support from a team of experienced professionals and using a robust set of tools, technologies and services to back them up.

Why Post-Close Is Such a Vulnerable Phase: A Worst-Case Scenario

As an example of what can go wrong during the post-close phase — whether you are the buyer or the seller — let’s look at a worst-case scenario. Suppose a multibillion-dollar company is selling a small division of its enterprise to a venture capital (VC) firm to be spun off as an independent company. For the CEO and employees of the smaller company, this would be a proud moment signifying a transition to a successful and lucrative future. But what if during the post-close phase, the larger company — the seller — gets hit with a massive ransomware attack? Since the transition to independence has not yet occurred and their networks are still connected, both entities will have to take immediate steps to avoid disaster. This could include shutting down machines and systems in order to protect assets and IP while the damage is evaluated. Clearly, this will have a greater impact on the smaller company — and the picture of a bright future has suddenly turned dark. Frequently, a team such as CrowdStrike® Services would be called in at this point. Although it is late in the process, the Services team’s objective is to rapidly determine the scope of the attack and the damage incurred, and take immediate steps to remediate and minimize further damage. The ultimate goal is always to get the company back into production as quickly as possible.

 

In any engagement like this, the first thing the CrowdStrike Services team seeks to do is deploy the CrowdStrike Falcon® platform across the network and gain immediate visibility to identify, contain and analyze the ransomware attack and begin the process of remediation. However, if the networks are still attached, both parties must agree to this approach, which can dramatically increase the complexity of the investigation and response. The seller may be uncomfortable deploying the Falcon platform for a variety of reasons: they may cite data privacy concerns, or they may have other IT or policy constraints. If the transition services agreement (TSA) doesn’t address the seller’s responsibilities in the event of a cyberattack, the response team may not be enabled to respond with maximum effectiveness. This results in low impact to the seller but massive impact to the buyer, with the buyer being forced to rebuild the network and systems of the company it purchased, from the ground up and at great cost — including losing many weeks of production. If this were occurring now, the buyer’s losses would be exacerbated due to the global pandemic, making full recovery an even more onerous task. While the VC investor and the newly formed company would suffer substantial — even devastating losses — the impact would be much less severe for the seller, a large enterprise with deep pockets.

 

How Can a Scenario Like This Be Avoided?

Although this account illustrates a host of complications that could occur at any stage of the M&A process, they would be especially difficult during the post-close phase. The good news is that a worst-case scenario such as this can be avoided with proper preparation. The following are some recommendations that can help organizations avoid these unnecessary M&A outcomes: Ensure that your TSA coverage is adequate: A typical TSA will include IT considerations, but an article last year in The Wall Street Journal cautions both buyers and sellers to beware when negotiating these important TSA contracts. WSJ writes that sellers, who may have little interest in their recipient’s ongoing success, whether intentionally or not, “could roll out incompatible or insufficient services in such critical areas as cybersecurity, reporting, or external customer support, violating the spirit if not the letter of the agreement.”

 

Buyers, they warn, may “inadvertently agree to ambiguously scoped IT transition services and insufficient ongoing operational support, which can lead to disagreements between parties during deal execution and a slower overall separation process.” In the scenario presented

 

above, the TSA didn’t ensure that the smaller company received the cooperation it needed to investigate and remediate a damaging ransomware attack. In addition, the VC firm buying the smaller company didn’t give cybersecurity the attention it deserved at any phase of the M&A process — and certainly not when negotiating the TSA. This left them exposed during the critical post-close phase.
Validate that IT hygiene best practices are being observed: All parties in an M&A should get assurance that proper IT hygiene is part of the seller’s standard network protocol from the start of the process. As discussed earlier in this series, ideally an IT hygiene assessment is conducted and the results shared with all parties. Assess the cybersecurity deployed: Not only should organizations insist that the company’s IT hygiene is up to par, it is important that cybersecurity maturity is accurately determined. Clearly, if the seller had been using effective cybersecurity and had ensured that all of its endpoints were managed, it would likely have been able to detect and contain the ransomware before lateral movement to other machines — including those of the company being sold. A cybersecurity maturity assessment would also have revealed security gaps that could have been closed well before the ransomware attack occurred or the deal was finalized. Uncover problems with an in-depth compromise assessment: At the very least, the VC purchasing the smaller company should have insisted on a compromise assessment before the transition period began. As described in Part 1 of this series, an in-depth assessment could have revealed the ransomware attack if it had already occurred, and if it had not, it would have uncovered risks and vulnerabilities that could have been dealt with in time to avoid the attack.

Additional Resources

 

Breaches Stop Here