Almost all organisations face significant cyber risks, but the dangers are higher in certain scenarios, such as during mergers and acquisitions (M&As), where you’re looking to bring together two independent domains of technology from businesses that may have very different levels of risk.
The types of risk at a business where most of the information and data is protected behind ring fences are very different from an externally-facing, customer-orientated business where there are lots of points of interaction, notes Sukand Ramachandran, managing director and senior partner at the Boston Consulting Group (BCG).
“In the past everything was using either one or a handful of monolithic platforms protected physically in a data centre and with limited access,” Ramachandran tells IT Pro. “In today’s very different world we have multi-layered protocols where web services may run on cloud platforms and there may be layers of middleware. Every little stack, and interface with the stack, creates points of vulnerability to consider.”
Due diligence matters
When dealing with a merger or acquisition there’s a lot for the boardroom to consider, from potentially differing business cultures to the rationalisation of technology platforms and people. And it only takes one small matter to be overlooked for a security breach to happen, with potentially serious consequences. For example, within a few days of completing a takeover deal by hotel chain Marriott, Starwood announced a security breach. This resulted in a 5.6% decline in Marriott’s share price and, ultimately, a £99 million fine in the UK from the Information Commissioner’s Office (ICO), and a criticism of the acquiring firm's failure to conduct adequate due diligence.
Indeed, this can be a general stumbling block. Tim Hickman, a cyber and privacy lawyer at White & Case, tells IT Pro: "Failure to spot a significant cybersecurity vulnerability is often down to a lack of due diligence."
“In light of this, every business needs to put appropriate resources into investigating cyber security defences to ensure that any significant vulnerabilities are detected,” he says.
Put together the right team
Due diligence is often conducted by a group of technical experts and legal advisors, but in the experience of Jo Stewart-Rattray, founding chair of SheLeadsTech at ISACA, the right people aren’t always involved from the start.
“Acquisitions are sometimes transacted under a cloak of darkness and the CIO and/or the CISO are not necessarily included in the due diligence team. Therefore, issues may not be discovered until after the sale has been completed,” she tells IT Pro.
“I’m currently dealing with issues that have appeared as a result of an acquisition, in fact I’ve been brought in to deal with the legacy systems that are problematic and exceptionally elderly, which in themselves are causing issues that potentially have cyber implications. This could have been avoided by a more thorough due diligence process in which the senior security and technology leaders were included to be able to assess the risks prior to acquisition.”
The solution is to put together a robust due diligence team at the very start, ensuring you have the individuals with the key experience, knowledge and skills in place. According to BCG there should be a designated officer in charge of leading cybersecurity efforts throughout the M&A process, which is often the CISO. They should put in place a team of area experts who can provide in-depth assessments in areas such as penetration testing and data audits.
Evaluating risk is key, and it’s important for both organisations to understand their infrastructure security based on the software, systems and architecture and prepare a risk control matrix. This way the level of cybersecurity risk can be identified and minimised before the merger or acquisition notes Professor Muttukrishnan Rajarajan, Director of the Institute for Cyber Security. “There are also predictive risk modelling methodologies that can be used to understand future threats based on the nature of the businesses,” he adds.
Have a clear strategy in place
Once past due diligence and onto announcing the merger or acquisition, the team should have a clear 100-day plan in place; the short-term strategy. Ramachandran advises that with a clear view of the ‘hot spots’– the points of high vulnerability – the team can focus on securing these and putting in place, and maintaining throughout, robust access management and cybersecurity protocols.
He also notes this is the time to assess the business’ ability to respond to cyber events and recommends roleplaying cybersecurity scenarios with different parts of the business; no matter how busy executives are defining the new organisation. “This helps to ensure they’re also thinking about cyber security risk, as we ask them what their response protocol would be if they had a breach on day four.”
The long-term strategy should then revolve around establishing a more detailed integrated security strategy and governance which includes clear security roles and responsibilities, and, of course, ongoing staff training.
Raise awareness
So many things are happening during M&As that sometimes some of the above steps can be forgotten. The amount of change is vast, but it's imperative not to ignore the inherent cybersecurity risks and ensure cybersecurity is a key part of the merger or acquisitions framework.
“Tuning into these risks will help leaders naturally prioritise,” says Ramachandran. “They’re figuring out what to spend their time on once they know how important it is. It’s just a question of raising the awareness inside an organisation of how critical a cybersecurity incident can be,” he concludes.
