Cyber due diligence is about understanding a company’s cyber maturity prior to an acquisition, with the ultimate aim being to limit the likelihood of reputational damage and financial losses through cyber attacks further down the line.
Examples of where cyber breaches have been discovered during the M&A process or shortly after;
The first is when Verizon and Yahoo merged in 2017. Verizon reduced its offer by $350m after previous breaches were disclosed. This also meant Yahoo had to modify their terms with Verizon.
Marriott was fined £18.4m in October 2020 by the Information Commissioners Office after a breach affected 339m guests globally. The initial breach occurred in 2014 against a company called Starwood. Marriott acquired Starwood two years later. After the acquisition, the cyber attacker continued to access personal data into 2018.
These examples demonstrate the importance of cyber due diligence in the M&A process.
Recent press surrounding the SolarWinds cyber attack has brought a specific focus on third party cyber assurance. By compromising a third party vendor and attacking via the supply chain, attackers were able to access vast quantities of commercial intellectual property as well as Government information. Third party attacks, where the supply chain and subsidiary companies are used to attack, are likely to be an increasing trend going forward. This cyber breach highlighted that all companies small through to large need to ensure they have a strong cyber security program in place with detection capabilities and tested incident response plans.
What are the key indicators of a cyber mature company?
For smaller companies and start-ups, it is unreasonable to expect investment in a full security operations centre. However, for a cyber mature company you would expect some of the following;
- A clear cyber strategy, budget and baseline;
- Staff training such as phishing awareness, data security or personal online security;
- Regular penetration tests;
- Certifications and frameworks – look for ISO27001 or alignment to NIST (National Institute of Standards and Technology, part of the U.S. Department of Commerce);
- Third party cyber assurance and management of global security ratings; and
- Dark web reviews – looking for leaked credentials, leaked intellectual property or active targeting.
Alongside lost credentials, phishing campaigns are a primary method of gaining access to target systems. During our own Red Team engagements, we often start with a simulated phishing campaign to breach client systems. A successful click on a link or an unwilling target downloading malware on to client systems can result in attackers downloading the ransomware mentioned above onto your network.
Alternatively, an attacker may seek to control your network, accessing and exfiltrating your company's crown jewels; be that intellectual property, financial information and funding, or client and personal information for sale to the highest bidder.
Closing the deal
A company's cyber security strategy and a clear understanding of its level of cyber maturity are selling points often overlooked by management during a sale. The primary focus of the management is on selling their intellectual property, inventory and access to potential buyers.
Conversely those purchasing and investing in companies often misunderstand the vulnerable position they unwittingly put themselves in by integrating insecure services into their structure, or worse, services that are already compromised.
The last situation a buyer expects to be in is on the receiving end of a hefty fine from the Information Commissioner’s Office or having their newly acquired asset being subjected to a ransomware attack.
Reviewing cyber maturity in any merger and acquisition should be a core consideration in today’s digitally connected world.
Get in touch
If you would like to speak to a member of our M&A team, please click button below to arrange a call.