Prior to entering into a business agreement with another entity, organizations need to identify incompatible business processes, potential integration problems, or unexpected liabilities through a due diligence process.
Traditionally, due diligence focused on business operations, legal concerns, and financial statements; as companies have become increasingly more reliant on data and technology, it is imperative to the security and reputation of an organization that cybersecurity posture, governance, and practices also be regarded. Consider the following when evaluating an acquisition or merger target. Depending on the nature of the business, some areas may pose a larger threat than others and require greater scrutiny.
Organization Cybersecurity Policies and Structure
Assessing alignment between the cybersecurity governance and structure of both organizations can smooth the process of integrating the security program of one company into another, highlight areas of weakness that need to be addressed in the formation of these programs, and prevent potential vulnerabilities or breaches down the line.
1. What policies are in place to govern the cybersecurity function?
What methodologies does the organization use to determine its cyber policies and governance structure? Does the organization benchmark its policies and capabilities against industry standard frameworks such as NIST Cybersecurity Framework, CIS Top 20, or the Cloud Security Alliance’s Cloud Controls Matrix? Are there set policies and expectations for programs – such as patching, remediating vulnerabilities, identity management, and identifying risk – based on these frameworks?
2. Does the company, and the cybersecurity function, clearly understand the organization’s critical assets and data systems?
How is this understanding incorporated into risk management decisions? Companies that have not identified critical assets and systems are less likely to make risk-informed decisions, which means their defense strategy, tool sets, and resource prioritization may not be focused in the right areas and will have less of an impact on the overall security of the organization.
3. How is the cybersecurity function structured and staffed?
Inadequate focus and leadership can impact the security posture of the company. For example, smaller startups may not have a Chief Information Security Officer (CISO), but it is important to, at a minimum, have a senior IT security leader who understands the architecture, engineering, data, and security pieces of their organization and products. This role may be outsourced to a third-party, provided the IT security leader has sufficient access and authority to be effective. Companies without a dedicated information security lead generally have a less organized, goals-driven cybersecurity program and therefore become more inviting targets for attack.
4. Is there an appropriate number of staff and delegation of duties?
Organizations that are understaffed or multi-tasking engineering and operations duties are more likely to miss or ignore issues and vulnerabilities.
5. How is leadership kept in the loop?
Good cybersecurity programs keep leadership informed on how it is monitored and managed. Does the cybersecurity leader have confidence that practices align with corporate policies? Is there a sense of complacency and resultant lack of oversight? How is leadership assessing themselves and setting future goals for security?
Organizational Approach to Cyber Threats and Vulnerabilities
Beyond ensuring cohesion with organizational strategy, structure, and governance, it is vital during the due diligence process to assess whether technical controls and prevention mechanisms are adequate.
1. What is their level of visibility into vulnerabilities?
Proactive identification and remediation of vulnerabilities is key to managing the attack surface of an organization.
- What is the method for identifying vulnerabilities within their IT environment?
- Are all endpoints running within their environment known?
- What are their metrics and Key Performance Indicators (KPIs) for tracking vulnerability management, and how quickly are they addressed?
- Do controls tie back to governance and corporate and regulatory policies?
- Are regular penetration tests performed on the environment to test controls?
2. Can they see attacks?
If a breach occurred, would they likely detect and respond rapidly and effectively before financial or reputational damage occurred?
- What tools, techniques and procedures are employed to monitor for attacks?
- Do these tools, techniques and procedures monitor endpoint security, email, web traffic, and DNS?
- Are insider threats monitored?
- Are the tools tuned appropriately to correctly identify malicious activity without generating excessive false positives?
- Are alerts aggregated and monitored?
- Is there adequate monitoring coverage of the environment during off-business hours and holidays?
- Do they perform “Red Team” or “Adversary Emulation” assessments? These types of exercises mimic the stealthy attack of a real adversary and are important for evaluating their IT security program’s ability to detect and respond to attacks.
3. How do they respond to attacks?
According to an IBM Security report, mature incident response plans, testing, and teams can reduce the cost of a breach or attack by an average of $2 million.
- Do they have an incident response plan?
- Do they have a Security Operations Center or managed service provider that will act immediately to a potential attack or threat?
4. How are threats modeled? Do they perform any other proactive measures to anticipate potential attacks?
Identifying likely threats and modeling attacks allows an organization to understand their attack surface, how adversaries see them, and attempt to exploit them. Are countermeasures in place, and have they mitigated the level of residual risk?
- Do they conduct threat modeling exercises periodically?
- Threat modeling is typically a tabletop exercise.
- Adversary Emulation, a hands-on assessment, need to be performed to mimic the behavior of a real adversary. This Adversary Emulation team enacts the modeled threat and measures the organization’s response.
5. How do they monitor geopolitical threats that can cause a spike in cyber-related activity?
Maintaining a clear understanding of threat intelligence and changing international events will impact threat landscapes and allows organizations to proactively update their cybersecurity strategy.
- Is the organization aware of their threat landscape, particularly from a geo-political perspective?
- Does the company stay up to date on world news and events, and understand how they impact their cyber and organizational risks? For example, sanctions on Iranian banks often correlate to increased cyber attacks on financial services infrastructure.
- Do they have a threat intelligence program? If so, does it provide relevant, timely, and actionable information on the threats specific to their organization? Programs that provide too much data without relevance are generally ignored.
Addressing Privacy and Regulatory Issues
During the due diligence process before a merger or acquisition, organizations should understand the types of data that they will inherit, respective sensitivity levels, and the applicable regulations with which they will need to comply.
1. How do they stay on top of the changing regulatory landscape for both privacy and cybersecurity?
Understanding requirements set forth by the constantly evolving U.S., state, and international privacy laws is critical for organizations to maintain compliance.
- How are regulatory requirements, such as those from federal, state, and international privacy laws, tracked and inventoried?
- How do they measure and monitor compliance against the regulatory requirements?
- Have they had any previous information requests from regulators wanting to examine their operations?
- Have they entered into any legal agreements with regulators required to correct their handling of data or other operations?
2. Are they aware of the sensitive regulated data within their environment and the repercussions of a breach?
Privacy regulators are honing in on companies that fail to protect data and levying fines worldwide. Organizations need a strong understanding of the data they collect.
- What categories of data are collected?
- Do they understand their data lifecycle? How is data collected, used, shared, retained, and destroyed?
- Have they implemented a data mapping strategy to identify where data is stored, internal data owners, and access controls to prevent unauthorized access or disclosure?
- Do contracts with vendors who process their data include strict requirements setting forth the instructions, duration, and types of data subject to processing, and the requirement to inform the company of any breaches without delay?
- Have they had any previous data breaches that met the legal threshold to notify regulators or customers?
3. Is there an audit function providing an independent evaluation of the control environment and adherence to regulations/ law?
If so, is that function internal or outsourced? What standards and frameworks, in addition to regulations, are used for this evaluation? How is the organization managing timely remediation of issues identified?
Supply Chain Risks
An organization’s cybersecurity is only as strong as its weakest link. During a merger or acquisition, an organization linked to third parties with known vulnerabilities or security issues is likely to pass on potential attack paths. Ultimately, performing your due diligence to ensure an effective approach to supply chain security is vital.
1. Is there a third-party or supply chain risk function that addresses the risk that third parties pose to the reputation and security of the company?
- Does the organization have a good grasp of all the third parties that provide products or services, or partner with them?
- How do they perform due diligence prior to onboarding new third parties or renewing contracts? Do they assess and rank third parties by risk?
- How do they perform ongoing monitoring of third-party risks and compliance with established cybersecurity requirements?
2. How is leadership informed and kept aware of the various risks posed from suppliers, both new and existing?
- How are risks managed, monitored, and reported to leadership?
- Do they include risk factors like those in their third-party scorecards and procurement processes?
Failing to assess the cybersecurity program of a mergers and acquisitions target can expose your company to tremendous financial, data, and reputational damage. By asking these questions, organizations will better understand the threats and vulnerabilities of the acquisition or merger candidate.