Mergers and acquisitions are high-risk endeavors, sometimes with billions of dollars and corporate reputations at stake. But one way to help lessen the danger is by conducting a thorough cybersecurity review during the due diligence process.
The consulting and professional services team at Trustwave works closely with firms across the globe undertaking M&A deals of all sizes. Through our experience, we know that conducting a rigorous cybersecurity review early in the merger process can significantly reduce the possibility that the organizations coming together does not harbor or create a cyber threat that could come to light after the deal is sealed and the systems are merged.
A decision to skip or gloss over this aspect of the due diligence process can prove dangerous and detrimental to reputation. Just ask the large hotel chain or Fortune 500 telecom provider who failed to detect cyber intrusions during the due diligence period of their deals, leading to high-profile public data breaches.
The C-Suite has not missed the importance of lessons, with many executives now rightly asking for visibility into the cybersecurity aspect of any deal being contemplated.
The ramp-up in M&A activity due to COVID-19 has made this task even more difficult as threat surfaces have expanded exponentially as organizations moved to the cloud. At the same time, their staff shifted to home offices in response to the pandemic. So, it’s imperative that any company contemplating a merger or acquisition have a plan in place to include a cybersecurity review during the process.
The Ideal 3-Step M&A Cybersecurity Playbook at a Glance
In much the same way a company will conduct a thorough investigation to determine a proper valuation of the company it wishes to buy, it must also discover its cybersecurity level.
The first step in Trustwave’s process takes place before the deal is publicly announced, or pre-Day One.
This activity involves creating a cybersecurity baseline for both companies involved to discover each firm’s cybersecurity maturity, pinpointing its most valuable assets, and identifying security gaps.
A typical approach used to develop a baseline uses the National Institute of Technology (NIST) Cybersecurity Framework. The framework is designed to give businesses of all sizes a better understanding of managing and reducing their cybersecurity risk and protecting their networks and data.
At this time, a threat intelligence team is brought in to identify any potential risks and security gaps facing the two firms before the merger commences. Next, security workshops with both companies are conducted to identify the “as-is state” of their security and develop the required operations model for the new company, including a review of its SOC/MSSP status.
The cybersecurity plan for the second stage of the merger process starts on Day One, or when the deal is announced.
At this time, Trustwave will assess the operating models and identify synergies between the two companies and then create a strategic roadmap. A Trustwave SpiderLabs team is then brought in to conduct red and purple team testing.
However, the work does not stop when the deal is closed. From post-Day One, the closing date, and for the next 90 days, it’s essential to review the new company and ensure there is no risk exposure. This task is accomplished by:
- Conducting a security maturity diagnostic which re-examines the new firm’s security program maturity and current operating effectiveness.
- Running a threat detection and response (TDR) diagnostic to examine the company’s current technology, its security people, and processes currently in place.
- Transitioning and integrating the new company into the acquiring firm’s MDR/MSS solution.
As the two companies are about to combine, we conduct incident response planning to test the organizations' plans along with executive level tabletop exercises to test the operational effectiveness of the new teams.
The cybersecurity due diligence process cannot ignore the acquisition target’s supply chain, and essentially another baseline has to be created for these vendors. Creating this baseline can be a very complex operation because some companies have thousands of vendors. Still, as we saw with SolarWinds and Kaseya, it’s imperative to know if a supplier is a security problem.
Luckily there are many technologies and tools Trustwave has available to help discover such vulnerabilities and even rate vendors on their cybersecurity capabilities.
Once the security review identifies any problematical third-party vendors, the team can implement a plan to deal with the problem.
Trustwave believes our three-step approach that encompasses the periods before, during and after completion of the deal will help ensure security issues are mitigated to the greatest extent possible.