Plant digital systems are not necessarily top of mind when acquisitions are undertaken, reminds Tyler Ward, VP security of Infinite Group Inc (IGI), Rochester, NY. That includes cybersecurity. Organizations are not only inheriting equipment, employees, finances, and practices of the other party—but also the cybersecurity practices (good or bad) and accompanying potential cyber risks.
Yet very few M&A processes measure the cyber-maturity and cyber-risk levels of organizations prior to, and during, the standard M&A due-diligence process. This can prove costly, leaving the most secure organizations exposed to unexpected risk (see later example), force them out of compliance, and even result in taking on an active network compromise or data breach.
To begin to address this gap in M&A due diligence, consider the following questions:
- Are we inheriting a compromised network or unsecured information or non-compliant security posture? What are the potential penalties?
- What new cybersecurity and privacy regulations are we subject to?
- Will we inherit “reputation damage” based on a data breach from the acquired or merging organization?
- Will we be able to control the cybersecurity posture of the new enterprise post M&A?
- Is our current staff and budget sufficient to scale the new enterprise under a larger scope of regulatory and cybersecurity responsibilities?
- Does the poor cybersecurity posture of the acquired or merging organization offer leverage to negotiate a better price?
- Should we give the acquired or merging company an ultimatum to raise the cybersecurity posture prior to M&A or deal with it afterwards?
- When was the last cybersecurity assessment performed and what were the results? Should we demand a cybersecurity gap assessment as part of the Letter of Intent?
This is just a start. The list can go on and include lengthy reviews of specific metrics to gain a complete understanding of the new risks, alignments, and benefits.
Forewarned is forearmed. So, how can the existing M&A due diligence integrate cybersecurity and information security processes? These are the generic activity buckets: Choose a trusted set of standards and cybersecurity framework, conduct a thorough cybersecurity gap analysis and risk assessment, estimate costs around the risks and mitigation, as well as potential penalties for non-compliance, and formulate a comprehensive cyber risk mitigation plan.
Only by delving deep into the risks associated with people, processes, and technologies can you paint a clear picture for informed decisions. By placing the cybersecurity and regulatory posture of organizations under the microscope, businesses can forecast costs associated with various compliance requirements.
Better to learn from others. The following example is presented in the spirit of “learning from your mistakes is good, but learning from the mistakes of others is better.”
A power generation organization with 10 remote sites and staff of nearly 100 faced a challenge in acquiring several remote facilities. Directly after the acquisition of the smaller firm’s IPP facilities, the parent organization set out to conduct an audit of the IT networks with three main goals: Assess security, functionality, and compliance among the independent sites.
The audit resulted in multiple egregious findings that did not conform to NERC-CIP protocols and standards. Several systems were found to be running outdated and unsupported operating systems, personnel were not properly vetted for performing maintenance activities, vulnerability remediation was not taking place, and most importantly, the IT environments were not properly segmented from the operational networks.
The findings were taken to the board room at the parent company, which had begun to schedule and budget for the necessary changes. Immediately linking the smaller and more vulnerable networks to the parent company was not an option because of the risks posed. The mitigation strategy would require several million dollars and tie up company resources. The parent organization subsequently decided to “kick the can down the road” until the next fiscal year with a larger budget.
This proved a costly mistake. Shortly after the acquisition was finalized, an incident occurred. After some suspicious activity on a desktop, several pieces of malware were found that did not have active signatures in known anti-malware databases. This indicated the malware was either new or specifically obfuscated for reasons of stealth.
The malware in question was quickly able to exploit the workstation on which it was residing because of a combination of poor vulnerability management and improper protections at the desktop level. The attackers were able to compromise four other workstations before being detected by an employee. Since the organization did not have strong vulnerability and patch management practices, this left it open to malicious attacks.
The incident response team spent more than two weeks sifting through logs, examining systems, assessing system vulnerabilities, interviewing staff members, and formulating a report. The total engagement cost the organization tens of thousands of dollars in lost employee time, incident response fees, and subsequent mitigation.
This case study confirms what’s already known: Critical infrastructure sectors are under heavy attack by both domestic and foreign adversaries. Many independent power producers, energy brokers, and distribution entities are prime targets and vulnerable to such attacks. Robust cybersecurity processes within the due-diligence program will help ensure that the parent organization isn’t victimized by the oversights and cyber inadequacies of the acquisition target.
About Infinite Group Inc: IGI is a full-scale cybersecurity service provider and developer of Nodeware™, a cloud-based vulnerability assessment solution that performs up-to-the-minute inventory scanning and vulnerability detection to protect businesses from security threats.