The Cyber Security perspective on Mergers, Acquisitions and Investments

You already take a deep dive into the business. Now take a good look down in the engine-room.

If you are involved in the mergers and acquisitions of companies, or investment in SAAS and software development companies, then I’m sure you have excellent and well-practiced due diligence processes for the financial elements of the business. But does your due diligence adequately cover the security position of what it is you are spending all the money on? Don’t spend huge amounts of money on buying a security nightmare.

Securing your Investments.

What exactly are you investing in? What will your money be used for?

Let’s take the example of a software start-up - they’ve built a product, probably nowadays in the cloud, and are now seeking investment in return for equity.

As a potential investor, you’re going to ask them many questions about the business model, revenue and growth projections, numbers of current customers, target market and on and on. And of course, modern investment due diligence will also include many questions about “what have you done about the Cyber Security of the product?“ And they will expect good answers.

As a company seeking investment, if you don’t have a solid answer to this, you may find your potential investor very quickly getting cold feet. Investors in whatever form are not looking to invest new money just so you can then go off and spend it in adding in security - they will expect you to have taken care of this already. They also know that the addition of security late in the day can be much more expensive than building it in from the get-go.

Investors also need to have confidence in the people within an organisation they are investing in, so don’t stumble over the question of security.

Questions to have answers for!

(There are many more of course, but these are a good start).

• Have you built security into the software development process? What does that look like?
• Have you done a Penetration Test, and was the organisation who did the test suitably certified?
• What are you doing about ongoing security testing? Does it keep up with your release cycles?
• How do you handle your own supply chain security?
• Would you be the weak link in someone’s supply chain?
• What backups and recovery processes are in place?

As I say, there are many, many more pertinent questions to be asked before an investor should be parting with their money, but at least make a start by having an answer to these.

Mergers and Acquisitions.

Cyber security is a hot topic in M&A - the risks are enormous.

Mergers and Acquisitions are currently booming in the UK, particularly inbound from foreign investors. Organisations are looking to acquire and merge, to speed their growth and meet business and market objectives.  

With an M&A comes real financial scrutiny over the company’s accounts, current, forecast, and historic. Additionally, synergies between organisations may factor into decision making amongst many other criteria. Does the organisation being acquired have the kind of culture that fits? Does the technology stack fit? How long will it take to integrate it into our existing stack? How easily is that achieved?

And now, importantly of course, does the security posture of the organisation give reason for comfort or concern?

Cyber security in the M&A space is a very hot topic and for good reason. If you are about to spend many millions of $s on an M&A deal, then you really should be looking into the organisation’s security.

Let’s look at a very real example scenario …

The acquiring organisation (Company A) has decided that its growth and strategy warrant the acquisition of (Company B), who may be much smaller, but with whom there are synergies and are viewed as having a bright future. As part of the (often very complex due diligence) M&A process, Company B are found to be in a good position financially, with a great culture that fits with Company A, a complementary customer base and many other synergies. The deal is going ahead - congratulations all round!

Often one of the first moves, made with all the best intentions of combining workforces and cultures, is that network connectivity is established directly between Companies A and B. This facilitates sharing of documents and materials and getting departments working together. All good news.

Unfortunately, at this point, no one has yet investigated the complete security posture of Company B. After all, they’ve been trading successfully and have no obvious issues and nothing embarrassing has surfaced during due diligence. Company A may have just given themselves a big risk.

Patience is a virtue - even for hackers. Sadly now both companies are at risk.

Company A has just inherited the ongoing, as yet undetected Cyber Security compromise from their new acquisition. The hacker, sitting quietly on Company B’s network, has been reading emails on an account compromised months ago. They know all about the merger and have been biding time until the connectivity is in place - it’s like they knew it would happen! Of course this now allows them to move between organisations and start dumping - exfiltrating - the much more valuable data from Company A.

Ransomware has been in the news almost daily in 2021 and it has become clear that the hacking groups responsible are now very informed on the financial position of the companies they are demanding bitcoin from. Their demands are based on what the hackers think the company can afford to pay, with examples of hackers having read the companies Cyber Insurance policies before demanding what they think the company can claim back from their insurers!

Imagine a hacker sitting on the network of Company B. They have been waiting for a good time to trigger an attack and then start reading confidential documents about the impending acquisition by Company A who are a much bigger target. Maybe the Ransom can wait till the acquisition is in place. Fast forward a couple of months and Company A are announcing they have been compromised.

Due diligence must include cyber risks and independent security assessments.

The extensive due diligence during M&A is now extending to cover scenarios exactly like this. Whether you are the acquirer or the acquiree, you need to have a strong assessment of the other party’s security. This needs to be several steps further than a standard supply chain management review. In fact M&A often falls outside of these review processes, mainly due to the confidentiality applied to M&A. Very often the teams responsible for supply chain management and risk management are not privy to the M&A activities.

This is where 3rd party independent involvement and expertise are required to give unbiased, expert opinion to the interested parties. Output from activities such as Penetration Testing, Vulnerability scanning, Cloud Security Reviews and OSINT (Open Source Intelligence) gives a clear picture of the security status and highlights associated risks. And of course, the security consultants are governed by strict confidentiality and non-disclosure agreements.

Shift the risk left and address it early.

The ‘shift left’ principle is a mainstay of modern DevOps - that is, addressing potential risks earlier in the process. The principle applies equally in this space as the comprehensive assessment required doesn’t have to wait until the M&A process is well under way. Many of the differing activities involved in the analysis of the Security Position can be run in parallel to each other. For example, early OSINT (Open Source Intelligence) can give interesting insights into the organisation and the people involved. This can feed early decision making ahead of any detailed technical and procedural analysis and in parallel with the financial investigations.

Given that a deal might be called off, or at least significantly revised, on the basis of security issues - and most would and should be - then do the assessments early! Don’t wait till everything else is agreed, only to then find that you are buying into an unacceptable risk. The M&A process itself is often hugely expensive and time consuming, so it’s much better to get the whole picture as early in the deal as possible.        

Of course - every good company should have regular security testing already in place - it’s a high-risk flag if they don’t. If you need help with your testing or advice on your cyber security policies, Precursor are a specialist independent Cyber Security consultancy and experts in technology risk. Contact us today.