Cybersecurity in M&A due diligence: Best practices for executives

Why cybersecurity due diligence is important during an M&A

During the M&A process, skipping or barely skimming the surface of due diligence can unleash some unfortunate circumstances. Take inherited vulnerabilities. These are issues that already affect one of the business partners and pose the risk of extending, sometimes unexpectedly, to the other's environment.

Consider a hypothetical example of an older, mature organization acquiring a startup. The mature organization might have a set of existing security issues, maybe some stemming from legacy applications such as sunsetted or unsupported products. Or it might have some size-related issues like identity sprawl. By contrast, the startup might have issues related to its age. For example, technical debt that might lead to code vulnerabilities, authentication and authorization challenges, or patching and configuration issues.

Bringing these two environments together creates a combined set of issues, but also potentially ushers in new problems as challenges intersect. One of the partners might have already suffered a breach, discovered or not, or be in the midst of one.

You also need to recognize that potential regulatory risks exist, such as when a publicly traded organization acquires a privately held one. The privately held firm might not have the framework necessary to accurately report its financial results, a fundamental requirement of the Sarbanes-Oxley Act. Even when two merging firms operate under the same regulatory obligations, they might have interpreted them differently. For example, HIPAA requires covered entities to encrypt protected health information "whenever deemed appropriate." But not every organization agrees about what it considers appropriate. This can cause trouble if you need to explain to a regulator -- post-merger -- why you determined encryption was appropriate in one place but not the other.

Any of these issues can result in reputation loss; financial repercussions such as remediation costs, loss of business and fines; or other consequences.

Proper due diligence helps prevent these outcomes. Strong diligence won't resolve all the issues, but it will provide a way to discover risks, manage them in the short term and ensure they're resolved long term.

Best practices for cybersecurity due diligence during M&A

The following are some important elements of M&A cybersecurity due diligence. They are based on three key factors: general applicability, they can be acted upon directly by most security leaders, and they offer the most benefit to organizations. It's important to apply your own reasoning to these and supplement them as needed based on your own analysis and the organization's unique requirements.

1. Start early and include the cybersecurity team in M&A meetings

Security pros know it takes longer to understand risk than it does to understand usage. In other words, "How do I drive a car?" takes less time to answer than "Is this particular car safe to operate?" Merger teams need time to understand and analyze risks.

Organizations must also add the right people to the merger team early in the process to evaluate risks. Security team members must be on the team from day one.

2. Ask detailed questions, request supporting evidence

Gather as much information as early as possible. Ideally, someone from security is plugged in early. But that's only half the battle. The other half is gathering the information needed to evaluate risk.

Formulate and ask probing questions throughout a variety of key areas, among them past breaches, incident response maturity, regulatory compliance, operational security processes, product security, and authorization and authentication.

Ask for evidence that validates the answers received. Collecting the evidence is particularly important. It's not because people sometimes misrepresent things, though this does happen; rather, well-meaning and honest people sometimes misunderstand or make assumptions that cause them to answer inaccurately.

3. Read the docs

Request and read relevant documentation, placing particular emphasis on materials generated by third parties, including third-party audit data, external assessments and third-party penetration testing results. Review the information from two different perspectives: the intended design, using policy and procedures; and actual implementation, using technical evidence.

4. Establish a secure communication path

Create a way to request and receive extremely sensitive material securely. This should be obvious, but you'd be surprised how often people don't consider this. Internal-facing resources, such as SharePoint or Slack, aren't a good option for the following reasons:

• Many people with whom you're sharing data aren't in your identity infrastructure, so they still require strong authentication and authorization.
• The sharing location must have the ability to be disassembled quickly -- for example, if the deal doesn't go through -- and prove that all data was destroyed.
• It's not safe to make assumptions about hardware, network or any other access prerequisites.

Whatever communication path is chosen, be aware of policies in either organization that limit where and how information can be shared. You don't want to violate policy or unknowingly create a downstream audit issue.

5. Identify risks and business impacts

As data is collected, identify, assess, prioritize and report risk information to stakeholders. For example, you might uncover potential dangers that could imperil the continuity of operations post-integration. You could also uncover issues that affect the value of the deal -- such as a zero-day exploit in the flagship product or an inability to meet service-level agreements.

Present the findings to stakeholders in two ways:

1. The technology risk you'll need to mitigate as integration occurs.
2. How the risk could affect the business now, as well as long term.

This is a little different from a typical blue-team-focused security risk exercise. Be prepared to conduct this kind of detailed business-level analysis and framing.

6. Plan for integration

Identifying the risk areas isn't enough when conducting M&A cybersecurity due diligence. Instead, use a risk lens to focus on where the two organizations are most compatible. Consider the compatibility of policies, identity, technologies, tools, the security program and the risk management strategy of the organizations more generally, as well as other operating issues.

You must also understand the business strategy -- in particular, how the acquisition target dovetails with existing plans. For example, a holding company adding a new subsidiary to its portfolio measures integration much differently than a company that wants to add the new company's merchandise to its existing product line. Early involvement aligns your analysis with the intended integration strategy.

How to evaluate cybersecurity posture post-M&A

Due diligence doesn't stop when the deal closes. The following are some key activities to incorporate once the merger is completed:

• Validate risk treatment. Ensure identified risks have been closed, treated or otherwise mitigated.
• Execute an integration roadmap. Perform any security-related execution activities to support the integration strategy, paying particular attention to challenging areas such as identity and access management.
• Baseline the combined risk assessment. Understand the new risk landscape over time. Even though you constructed a detailed risk analysis as the deal unfolded, post-merger is a good time to refresh risk assessment activities.
• Adapt monitoring to new baselines. Establish a new monitoring baseline. Usage habits, technology makeup and many other technology consumption aspects are likely to change.
• Enhance threat hunting. A defined period of active threat hunting can help minimize the chances of inherited compromise, such as persistent threats and dormant access.
• Review policies and processes. No two organizations have identical policies. Train and test staff on changed policies, new systems and processes, and other security-relevant areas that might have changed.
• Synchronize regulatory compliance. Understand where the compliance policies within both organizations differ. Explicitly test for and track this.

Due diligence isn't a fire-and-forget exercise. Full integration and alignment can take months or even years to complete. Treat the time post-merger as you would any other long-term activity. Use whatever assistance is available, such as project management resources, provide periodic stakeholder reporting and keep solid records over time.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.