Cyber Risk:  A Key Consideration for Mergers & Acquisitions

WHITE PAPER
BULLETPROOF™, a GLI company has partnered with Cyber Risk Management Group since 2019. Cyber Risk Management Group specializes in emerging innovations in cyber risk management, helping clients proactively secure business-critical IT assets and operational functions, reduce the attack surface, and maximize return on investment. As a result of our partnership, we utilize innovative tools such as the RiskSense platform to help customers identify vulnerabilities and risks within their business operations.

CRMGlogo_RGB_1300

While 2020 has seen a slow-down in mergers and acquisitions (“M&A”), a recent survey of 1,000 U.S. corporate M&A executives and private equity firm professionals found that a clear majority expect M&A activity to return to pre-COVID-19 levels within the next 12 months.* The real news however is the extent to which M&A is increasing including careful consideration of cyber risks. 

The article titled "Reducing the Risk of Mergers and Acquisitions" published in the Security Intelligence magazine stated cyber risk and cybersecurity play a critical role in unlocking M&A deal valuations. Since many analysts predict that M&A deals will increase within the next few years, it's important to get Cybersecurity leaders involved at the forefront. Companies that consider security and risks in their strategy, planning, and valuation activities during pre-acquisition will be able to uncover potential liability issues and avoid operational costs in the long-run.

*Deloitte Future of M&A Trends Survey

bulletproof_icon

80% of global firms surveyed reported an increase in cyber attacks this year! 

COVID-19 is associated with a 238% rise in cyber attacks on banks. 

Phishing attacks have seen a dramatic increase of 600% since the end of February 2020!

Table of Contents

Growth in Cyber Attacks Worldwide

It is not surprising considering the tsunami of threats and attacks this year alone. Consider that in just the last 6 months:

hacker Spear-phishing attacks rose by nearly 700% in March 2020. Most were related to COVID-19.

Hidden Threats to Valuation

As companies, advisors, and banks consider their M&A roadmap, an assessment of a target company’s cyber risk profile is now a business-critical element of the due diligence and valuation process. In addition, senior managers and organizational consultants will need to increasingly consider how to bring two different IT Security shops together and establish a baseline approach to policies and procedures.

“From a growing attack surface and the increased use of open-source software to legacy organizational vulnerability deficits and labor-intensive, manual remediation management, it is challenging to scale up an IT security organization in the face of today’s cyber threat environment, said Mark Fidel, RiskSense Cofounder. It really is all about understanding each company's Vulnerability Risk Rating as well as assessing each company’s IT Security policies and procedures.”

top-view-of-co-workers-planning-a-strategy_1098-2959

Acquiring a Compromised Asset

Brandon Hoffman, CISO, Netenrich recently published an article “Cybersecurity Risk Factors, M&As in the Age of COVID-19” that focuses on the business-critical importance of understanding a company’s assets in the age of accelerating cloud adoption and the remote workforce.

In addition to a more thorough assessment of the cyber risk of a potential acquisition or merger partner for legal and financial considerations, there is an organizational imperative for the parent company to carefully assess the potential risks to the parent’s current cybersecurity and risk management programs. Trying to manage the parent company’s cybersecurity programs while “inheriting” a new one with significant issues and risks can serve to compound risk.

One of the emerging risks in acquiring companies is the extent to which the acquired company represents a new attack vector for the parent organization. “No matter how strong your IT Security policies and procedures and the maturity of your cyber risk management programs, if your company acquires another company that has or is at significant risk of breach due to any number of reasons, you just paid for bigger problems, said Mark Ramsey, former CISO of a major global precision manufacturing company and Director of the Cyber Security Program at Fairfield University. Trying to play catch up and accelerate the improvements of a new IT security program while dealing with your parent company’s growing attack surface and increasing scale, scope, and sophistication of attacks can be daunting.”

Prior to COVID if you ask any CISO they will tell you their biggest fear is not knowing what is on their network. Mergers and Acquisitions provide the biggest risk because from the business standpoint of a financial transaction the goal is to add the new corporate assets as quickly as possible. In today’s remote worker world this means a higher likelihood of introducing an acquired company whose infrastructure may not have the same remote access rigors that the acquiring company has. The bottom line is that you may have exposed your company to increased risk from external users who are now inside threats.

Aligning IT Security Programs

Ok, so you have concluded additional focus and expertise are needed to more fully address potential cyber risks in your M&A plans. But how do you actually perform an assessment given the often large scale and scope of a company’s attack surface, different IT security tools and programs, and the inherent friction of two different IT Security teams viewing things differently?

Earlier this year, Gus Fritschie, Vice President of Security Services, of Bulletproof, a GLI company assisted two major publicly traded companies in a pre-merger cybersecurity risk assessment. He had to address several business-critical considerations; how to quickly and effectively manage a large sample size of recent scan data from across each organization and then apply a vulnerability risk assessment methodology that would be objective, substantive, and instructive from an organizational perspective.

iStock-863497498

bulletproof_icon

“These two companies represented large attack surfaces, had different enterprise scales and the maturity of their information security practice and processes were variables that had to be considered. They also needed an assessment approach that was reasonably fast to implement, straight forward to understand and then actionable for the information security teams that would be combining post-merger. We needed an innovative approach to managing and organizing tens of thousands of scan data files across multiple sites and get to some bottom-line findings quickly. We also had to find a way to effectively communicate the assessed risks in a way that brought the two IT Security shops together on the same page.”  - Gus Fritschie, VP Security Services, Bulletproof 

To speed the assessment and communicate the results in a way that both organizations would be on the same page, Gus brought in the vulnerability risk experts from RiskSense to utilize their nationally recognized platform and automated prioritization engine. Working with each of the merger partners’ IT Security teams, Gus and Glen Bradly, RiskSense Senior Solutions Engineer, ingested recent vulnerability scans performed by the target organizations from over 70,000 IT assets from each company. Using the RiskSense platform’s flexible capabilities for grouping and filtering, and applying their unique Vulnerability Risk Rating (known as the “RS3” score), the merger partners received detailed reports customized for their respective organizations, while also having access to the RiskSense dashboards for detail, including links to recent threat intelligence and remediation recommendations. At the same time, Gus performed an audit and assessment of each organization’s IT Security policies and procedures.

risksense-logo-header-footer

“With the fast-paced schedule and a diverse group of stakeholders in each organization, using the RiskSense platform was invaluable not only for the speed to value and the objective, data-driven scoring methodology but also for the way it helped two different IT Security teams align together," said Gus. "Being able to access the RiskSense dashboard, collaborate with Bulletproof and RiskSense experts, and drill into the details was really important and valuable for both merger partners.”

The fact is that, even before COVID-19, all organizations were facing a Ransomware epidemic and a rapid escalation of the scale, scope, and sophistication of cyber threats. Today, leading cybersecurity organizations are stressing a more proactive and preventative approach.

For example, Gartner Top CISO projects for 2020 – 2021 include; “Remote workforce security…with zero trust network access” and “Risk-based vulnerability management including bringing in additional information in the form of threat intelligence, attacker activity reports, and internal asset reports to help organizations better identify which flaws to fix first.” 

To Recap

When considering mergers and acquisitions, the urgency of making cyber risk management a key priority is clear. In addition to considering leading vulnerability solutions like RiskSense and Zero Trust innovators like NetFoundry, it is business-critical to align business and cybersecurity considerations and objectives.

Jim Watts PMP, Client Service Delivery Lead, Cyber Risk Management Group, has supported key IT projects at major companies such as Home Depot, AT&T, and Fiserv. Over his 30 years of experience in technology and IT Project Management, and most recently supporting the implementation of best-practice based cyber risk management programs, Jim stresses the importance of aligning technology and business objectives.

“Having technology and business alignment managed through a governance process in a post-merger organization is a key success," said Jim. "By leveraging a comprehensive 'Process Governance', leaders can ensure alignment between technology and the business is in place, and key measurement cyber risk management indicators can be used to measure progress toward goals and keep work efforts on track. When it comes to the financial, business, and liability implications of cyber attacks, the cyber risk for mergers and acquisition represents a key area for improvement. It was once said that 'The second kick of the mule should not be educational.'"

iStock-1138295318

Stay Secured with First-Class IT Security Services

We work with you to identify opportunities for improvement in your systems and form a customized plan to help meet your business' security goals. Are you ready to learn more about how Bulletproof’s services can help your company succeed? Book a meeting today! 

BOOK A MEETING

Security Aware Icon

TRANSFORM YOUR PEOPLE FROM CYBERCRIME TARGETS TO ACTIVE CONTRIBUTORS TO YOUR CYBERSECURITY

A whopping 95% of cyber-attacks and incidents exploit unsuspecting and uninformed employees.*

Bulletproof’s Security Aware service is the only user awareness solution in the market today that solves the difficult problem of end-user adoption and buy-in. With Security Aware, you can transform your people from cybercrime targets to active contributors to your cybersecurity.

WATCH WEBINAR NOW  BOOK DEMO NOW

*IBM X-Force Threat Intelligence Index

Why Bulletproof?

BULLETPROOF CREDENTIALS

  • Microsoft 2021 Global Security Partner of the Year Winner.
  • Microsoft Solutions Partner for Modern Work + Security, specializing in Threat Protection and Cloud Security, and Digital &  App Innovation Azure.
  • Decades of technology, compliance, and security knowledge serving various industries of all sizes​.
  • We work with top gaming organizations, lotteries, U.S. Tribal Nations, government and local organizations, etc. across the globe. ​
  • Users on six continents trust Bulletproof to strengthen their IT & security posture.
  • Two State-of-the-art 24/7 Security Operations Centre (SOC) in North America.
  • Our security professionals hold industry-recognized certifications, including ISO/IEC 27001, WLA-SCS, CISSP, CISA, CEH, CPT, OSCP, and PCI-QSA.​
  • Awarded GSA Multiple Award Schedule (MSA) with holder of Highly Adaptive Cybersecurity Services (HACS)​.
  • Member of the Microsoft Intelligent Security Association. 

Microsoft Solutions Partner Logo White Transparent

“These remarkable partners have displayed a deep commitment to building world-class solutions for customers—from cloud-to-edge—and represent some of the best and brightest our ecosystem has to offer.”

-Rodney Clark, Corporate VP, Global Partner Solutions, Channel Sales and Channel Chief, Microsoft

Share This

Call Us

1.866.328.5538

© 2024 BULLETPROOF, a GLI Company