Importance of Cyber Security in Mergers and Acquisitions
Cyber security in mergers and acquisitions is a critical aspect that businesses cannot afford to overlook. We now delve into the importance of integrating robust cybersecurity measures during these complex transactions. By understanding the potential risks and implementing effective strategies, companies can protect their valuable assets and ensure a smooth transition. Discover the key considerations for maintaining strong cyber security in mergers and acquisitions.
A Rapid Introduction to Mergers and Acquisitions
Merger and acquisition consulting is a huge area of consulting, with a myriad of different streams. For the purpose of this article, I’ll be discussing cyber security in mergers and acquisitions only.
Mergers and acquisitions refer broadly to the practice of a company buying another company (acquisition) and combining resources (merger). Some companies acquire competitors to increase their own dominance in the market, while others acquire companies that add value in areas they lack. Both methods allow a company to grow in size and stature but ultimately M&A is a practice of increasing a businesses value.
Let’s take a made-up example of ‘Ted’s tools’, Ted wants to grow his business to dominate the tool market, but as an independent, he isn’t able to buy B&Q, and B&Q don’t want to buy ‘Ted’s tools’. Ted COULD expand and open a tool shop in a neighbouring town or city, but the competition is too rife. Ted decides to buy a local coffee shop brand and move it into his tool shop. He’s now created a unique buying experience, people can come for the tools and stay for the cake. Not only does this grow Ted’s business it also moves him into a niche market on the periphery of his competitors rather than struggling to tread water on the underbelly of his competitors. ‘Ted’s tools’ can function as a unique experience, whilst having the strategic vision to grow that experience out to other regions. However, should the cost of buying the coffee shop brand cost more than ‘Ted’s tools’ could predictably make in a set time it would prove worthless.
The simplistic view of M&A applies to all companies regardless of size and industry. Ultimately there needs to be an increase in value from the combination of the 2 organisations coming together, something that can be significantly impacted by a number of factors, one of which is cyber security and data protection. Let’s look at Verizon who bought Yahoo in 2017, Yahoo had to disclose 2 (high profile) data breaches which ultimately cost them $350 million, when it was knocked off their sale price. That on top of the expenses of investigating and crawling back from the breaches themselves is a hefty price tag.
Why mergers and acquisitions can make businesses vulnerable to cyber attacks
The Purchase
Purchasing a compromised or significantly weakened business can significantly impact the acquirer’s reputation. The key thing here is to concentrate on uncovering security flaws as early in the process as possible to align the breach disclosures to the name of the (to be) acquired company and not that of the acquirer. The acquirer can then make a strategic decision to;
a) avoid the acquisition altogether,
b) try to negotiate a reduction in price, or
c) blame the old brand and undergo a rebrand. . . or maybe
d) pay absolutely no attention to this advice whatsoever.
It’s a tricky business to keep M&A’s quiet and when you’re trying to grow, why would you want to keep a project like that lowkey? It’s exciting news! However, a project like this puts both businesses in an extreme moment of weakness and instability, which is the perfect time to launch an attack
Attacking during mergers and acquisitions
Why is it a great plan to attack a company during merger and acquisition projects?
- Network, system and user activity is expected to get weird. The technical merge of systems and processes means there is room for unprecedented and unpredictable activities which are great for an attacker to blend in to.
- The merging companies won’t have a solid Incident Response Plan that is dependable at the time of the merge.
- It’s easier to point the blame on each other when two working cultures are being thrust together, which often creates a situation rife with office politics.
- there can be an overlap of roles, leading technical workers, such as network engineers to make assumptions about the activity being attributed to new and merging teams.
- Ineffective vulnerability management can lead to one company encompassing pre-existing vulnerable technologies and practices into their ecosystem. Essentially providing a free ride for attackers.
Risk acquisition
When a company buys another company it also acquires its risks. An unsanitized compromise in network A leads to a compromise in network B, depending on how those two networks or environments are integrated. Suggesting the fault of a high profile breach is the fault of the smaller company you purchased a year ago isn’t going to go down very well with customers, partners and investors. At best it will fall on deaf ears but it’s still your brand now on the line.
Companies that manage the risks with cyber security in mergers and acquisitions better than others are inherently more valuable than those that don’t. Especially if their value is determined by intellectual property and data assets.
Increasingly acquiring entities are expecting evidence of how a company of interest has handled its risks and data. So how do you demonstrate data protection and cyber maturity? I am so glad you asked.
The easiest way you can demonstrate cyber defence maturity and risk posture is to;
- Align to a respected framework. Check out NIST documentation, it’s free.
- Have a risk register and actually use it. Document risk, mitigate risk and be able to evidence that.
- Have a respectable amount of governance applicable to your business. For example, ‘Teds Tools’ does not need to have a 500-page data protection policy but maybe Yahoo did or should have.
- Make best efforts to protect infrastructure and data. Check out CIS control assessments for maturity posture, it’s useful, brilliant and free!
Threat Intelligence
Cyber threat intelligence needs to be applicable to both the company being acquired and the acquirer. Ie, if both companies are retail, likely the CTI knowledge will already be applicable and work well if the companies are in different industries or different regions this needs to be taken into consideration.
Insider threat
We’ve established that threats are heightened during the M&A process, but the heightened threat does not always originate from external factors. Huge cultural overalls on employees are potentially a breeding ground for resentment if handled incorrectly. Don’t underestimate the impact on employees and the subsequent impact on cyber defence.
A company with inherently poor cyber security cultural awareness being merged with a company with a more mature program can and will dramatically increase the level of risk to the overall purchasing company. An assessment of the current state of training & awareness in the acquired company is a must before anything moves.
Cultural impact and managing the human impact of change is a complete area of specialism outside of the remit of this book, for now, we will concentrate on the technical and business process and impact management.
Common mistakes (despite best intentions!)
Below are some of the mistakes, or tricky decisions witnessed in M&A cases, and are things you should probably try to avoid.
Implementing machine learning and user behaviour analytics
Machine learning and UBA are not the silver bullets and are wildly inappropriate for M&As.
When these technologies are applied to an environment they have to take time to baseline behaviours to define normal and alert on deviations of normal. It’s quite puzzling to understand how many companies believe this is a sensible approach in a time of predictable unpredictability. This time and complexity to learn and baseline your environment(s) can cause more harm than good during M&A sending analysts on wild goose chases, wasting time and even baking bad or nefarious behaviours into your system defined as ‘normal’. In M&As the process is transient and abnormal, the defence approach must accommodate for this.
Endpoint detection and response for M&A
Although rolling out endpoint detection and response (EDR) is expensive and laborious, agents such as OSquery and wazuh are a great idea for a transient piece of work that could otherwise be a huge endeavour bearing few fruits. If the company being acquired is small, has intellectual property, or highly sensitive systems it should absolutely be done where possible. Speak to us about help with this.
Leaving policies and process alignment until after or during the merger
Trying to construct policies, standards and processes alongside a merger will at best waste your time and at worst, cause actual confusion which leads to risks and money down the drain. Supporting documentation is incredibly important, but trying to do this alongside the M&A project will prove fruitless. Do your best to agree on governance prior to the project and make clear the policies that take precedence during the integration of technical systems.
Developing the aspects first
Moving forward with technical projects as a result of M&A is tiresome but is known to be exciting and testing for dedicated professionals. Allowing technologists to jump in with the good stuff can lead to deviations away from the strategic vision of the project, result in higher spends and without a strong programme manager to pull handle the reins will mean the project falls flat, which happens, often.
Building cyber security in mergers and acquisitions
Just like the information security industry has been stomping its feet for years saying security should be baked into code from the beginning and we should be moving left. . . .We need to apply the same sentiment to mergers and acquisitions.
Strategic vision
If an end goal isn’t decided upon by the board members and key stakeholders then the project is doomed to fail. Benjamin Franklin said it best “If You Fail to Plan, You Are Planning to Fail” and cliches are cliches for a reason, normally because they are true.
If business leaders cannot define the X on the map then there is no route to follow to get to the destination. It is not up to the technical teams to define the overall project and its destination, but rather it’s their job to define the technical route to integration followed by the implementation of that integration.
The time frame should be determined as part of the overall strategic vision, even loosely,
With cyber security in Mergers and Acquisitions, the roadmap time frame should be doubled to include the technical integration plan.
Technical integration - what Is a technology integration plan?
This is a defined, understood and agreed upon design for the integration of technical systems and processes, structured in an order of urgency and dependency. Business needs must take precedence over other preferences, but technical dependencies need to be well understood prior to kick off.
For example; implementing SSO (Single Sign-on) may be high on your to-do list. However company A may be using Google Workspace Gmail, which B are using O365. Asking the questions; Is it more important to get the company into a functioning operational and profitable state keeping the current email set up better for the business than running a project to merge all emails leaving the remaining project dependent on the success of that project? Probably not.
The importance of an integration plan
Like a strategic plan of action from the board and stakeholders of an M&A dictates the outcome of the success of the overall project, a technical integration plan holds as much weight, if not more. It is on the shoulders of the architects, technologists, project managers to make the Merger happen in the way agreed. This simply cannot be done without a plan. My advice is always to create an implementation plan and create it early!
Make sure whichever leads are required to be involved in the design of the technical implementation process are involved in the acquisition plan design because their input is so valuable to the entire M&A success. The merger is not a success if the integration is not a success.
Think about what end state you want to reach before you set off designing the journey. Some businesses make the mistake of acquiring a business that cannot be integrated or simply not planning far enough ahead where technology is concerned and almost writing the map as they are travelling. The cleaner your implementation plan the cleaner your implementation.
Pulling together a technical implementation plan
An M&A, although referred to here as a project, is actually a series of projects held together by one or more programme managers who should be able to answer the following question set in order to successfully pull together an IT integration roadmap that delivers the goods and has a marginal negative impact on overall business delivery.
People
- Who do we need?
- Why do we need them?
- Can we afford them?
- Are they available?
- What impact will this have on current BAU procedures?
Process
- What will our QA process look like?
- What is our approach to technical migrations? Clone and cleanse? Build from scratch?
- What will our project operating rhythm look like?
- What does our project change process look like?
- How will we conduct impact assessments on both businesses?
Technologies
- What communication tools will we use?
- Which tools will we use to keep on top of our workstreams?
- Which technologies will the project depend on?
- What does the ‘future state’ technical architecture look like?
- What technical entanglements are there between existing systems? How can these be untangled?
Defining the workload
A security-focused merger and acquisition does not just concentrate on tools used by technologists but all tools used throughout the business. A HR system for example that is being removed or ingested into another may affect integral business processes such as hiring and firing people, or accounting software changes could impact payroll all of which can have a profound impact on cyber security and data protection. It is therefore important to understand the asset inventories of both parties and have impact assessments conducted against the most business-critical assets before migrating business-critical data to new systems.
Ultimately the project overall needs to look at processes, applications, infrastructures and business operating procedures currently in use to understand how far away the companies currently are from the target end goal. They must work to define where consolidations can be done, where sacrifices are to be made and which areas are mature enough to take precedence over the other.
So how do we define and plan for a technical integration?
Here is a list of questions to answer that may help you to identify the best route to full integration.
Questions to ask:
- What is the end goal of the M&A, the strategic vision as a whole?
- What do we want to end up with from an IT point of view? (high level)
- What is the high-level plan to get to that goal?
- Has the high-level plan been threat modelled?
- What are the technical requirements to get to that goal?
- What are the technical requirements for specific technologies, business units, employees and processes to get to that goal?
- How well is the acquirer prepared for the integration?
- How well is the acquiree prepared for the integration?
- In what order should technical resources be integrated?
- Can this be chopped into different projects? (how many? What hierarchy?)
- How will we keep track of integration?
- Do acquiree systems physical or virtual require moving (physically, or domain…)
- Can the current acquirer infrastructure and finances sustain more load?
- Does the acquirer understand their current baseline well enough to understand the level of impact from system integration?
- Has the acquiree disclosed their risk register and have unacceptable risks been eradicated prior to the project start?
- Do we have overlapping vendors and can they be consolidated?
- What is the change management process? Is there one?
- Are we going to run into the cultural concerns of the technologists?
- Whose policies are more mature and take precedence during M&A? (will the acquiree use their own of those of the acquirer?)
- How will disparate data from the separate organisations maintain its integrity?
- What is the strategic sequence that applies to the technical delivery of these projects and is that defined clearly to all stakeholders?
- Do any current vendor agreements on either side hinder the project and what can be done about it?
- What does the current supply chain look like and what will it look like during and post-integration?
- What do the newly acquired suppliers need to do in order to satisfy the new security demands?
- Do policies and laws need to be taken into account to accommodate the growth.
- What is the minimal viable success? – full system integration, maybe but what does the overarching company need as a priority to maximise profits and maintain productivity?
- What are the key deliverables aligned to the deadlines?
- Identify adversarial risks of the acquirer and acquiree, does the adversarial landscape change as a result of the merger and in what way?
- Will a change in threat landscape mean transient precautions are required during the project?
- If defence tools are in place, have we agreed which adversarial TTP’s should be incorporated into defence mechanisms and at what point?
- Who is in charge?
- What is the escalation process?
- What is the defined organisational structure in the executive vision?
After the integration plan is defined individual streams need to be considered and it’s advisable to recycle through some of the above questions with specific streams in mind. I.e.
If both entities have a SIEM, which is more mature? How can that be identified?
How on a technical level will rule sets, use cases and tickets be exported and imported into the new SIEM, is this even possible? Would it be better to stick with one?
If not, then how will the threats facing both businesses be understood and defended against in conjunction with one another?
Security specifics in planning
More isn’t better in cyber defence, scale back what you have, cut it down to what’s important. UBA is going to be distracting and resource-intensive, penetration testing is going to be irrelevant a week after it’s done, vulnerability management is going to floor you with remedial actions, in the case of an M&A technical integration visibility is the priority. If there isn’t a SIEM or logging and monitoring in place there needs to be.
Let’s get slightly more detailed and consider the security considerations to apply at the particular stages of the process, Preparation, active integration, post-integration and finally how is this closed down?
Pre-merger and acquisition security assessment
Not all considerations will be applicable to all M&A projects.
- Asset Inventory
- Ecosystem inventory (suppliers, partners and customers)
- Compromise assessmentAV test
- Historic compromise
- Ongoing compromise
- Necessary penetration testing of critical internet-facing systems.
- Vulnerability assessments
- Historic data breach and compromise disclosures. Is valuation affected?
- Maturity and risk assessment. Improvement plan
- Risk register Is valuation affected?
- Itemised order of magnitude and order of development.
- Risk profile of the company to be acquired
- Cybersecurity risk to the acquirer.
- Asset discovery
- Critical system endpoint security monitoring.
- Security culture check.
- Data security and intellectual property protection assessment.
- OSINT activities
- Plans must align to the configuration standards of the acquirer.
- Ensure data flows are understood
During IT security integration
Not all security considerations will be applicable to all M&A projects.
- During integration’ security monitoring i.e., a transient SIEM. (Check out PocketSIEM).
- East/west traffic monitoring of critical environments.
- Critical server monitoring only
- Critical security log monitoring only
- Incident response capability
- Testing environment
M&A project SIEM
SIEM, security logging and monitoring on east/west traffic will give you insight into the technical aspects of your merging technologies. The problem is that SIEM is expensive and time-consuming to deploy and configure. In many cases, the deployment of the SIEM can take as long or longer than the merger, and the licensing models won’t allow for the transient nature of the project. PocketSIEM has an open-source short term SIEM/SOC service specifically built with merger and acquisition in mind, drop them a message on [email protected].
Post M&A
Not all considerations will be applicable to all M&A projects. With the fact that integration projects out last M&A projects significantly, consider doubling the length of a cyber security in Mergers and Acquisitions project to reach an optimistic integration end date. Upon completion of the merger and acquisition technical implementation, security considerations in the following areas are worth attention.
- Vulnerability assessment of new/merged systems and tools.
- Zero-touch security assessment in ICS environments.
- Sense check of structures, roles, processes and teams
- Process and budget optimisation purple teaming assessment.
- Run a post-implementation purple team engagement to understand your defence capabilities against the newly introduced threats and vectors.
- As a result of the M&A what are your new crown jewels and what is your new defence strategy or does the previous one satisfy?
Close down
Not all considerations will be applicable to all M&A projects.
- SIEM removal
- Endpoint removal
- Reporting
- Security policy, standard and process update to reflect changes
Organisational structure
Larger companies should look at ways to have dedicated senior resources committed to M&A, in both technical and non-technical aspects. These projects although a huge resource drain needs to occur alongside existing business operations, regardless of the sector. It is therefore paramount that dedicated senior resources must remain in place for business continuity. This can be achieved through re-prioritising workloads, using contracting associates or by rotating resources, for example, it’s unlikely that you’ll need specific system administrators on a task continuously, but rather different administrators should be deemed a dedicated resource at the point of integration which they are needed.
For acquiring businesses that have an internal SOC some Security analysts should concentrate on the holistic security view while others should be 100% dedicated to monitoring the security and behaviour of the systems being integrated in line with the project plan.
Both streams need to be distinct. It will be incredibly important to make sure internal SOC analysts are aware of significant changes such as configurations and new system onboarding. Without transparency, a SOC can find they become preoccupied with a red herring and this inefficiency can act as a smokescreen for legitimately bad behaviour.
The road map to success: organisational tips
- Identify which projects can run concurrently.
- Decide on deadlines
- Be clear on potential bottlenecks and hindrances; for example christmas change freeze.
- Negotiate contracts and decide on which systems and tools to maintain and which to dump based solely on business need and not technologist preference or trend.
- Create a glossary of terms for both parties, both businesses need to speak the same language.
- Agree on one Escalation process, not multiple.
- Eliminate overlap and redundancy (ppl process and technology) – Ruthlessly move on.
- Push back on unnecessary demands and requirements.
- Avoid planning fatigue and meetings for the sake of meetings.
- Stick to the scope, do not go off piste.
- The project delivery teams need to have access to one another’s calendars to avoid unnecessary back and forth trying to negotiate meeting times. This should happen very early.
- Agree to disagree, then agree to Agree and move on.
- Change management is crucial to the success of implementing M&A securely.
- Implement a steering committee to assess incremental goals.
This ebook may be overkill, it probably is in the majority of SMEs especially, but let’s end on this note; Companies at the best of times struggle to keep on top of their cyber security in mergers and acquisition. Businesses that grow through mergers and acquisitions struggle 10 fold. Not implementing good cyber defence strategies during technical mergers and acquisitions will lead to long term damage presented as;
- Overspend
- Delayed timelines
- Unintended operational silos
- Differences in ways of working
- Disjointed risk appetite
- Mixed defence maturities
- Different cultures
- Duplicate functionality in technologies.
- Underutilised tools and teams
- Residual risk
Prioritising cyber security in mergers and acquisitions is essential for safeguarding your organisation’s assets and reputation. By addressing potential risks and implementing robust cybersecurity measures, you can ensure a seamless and secure transition. Stay informed and proactive to protect your business during these critical transactions.
Find out how th4ts3cur1ty.company can help you with cyber security in mergers and acquisitions, contact us on [email protected] or +44 20 8133 0660.
