Mergers and acquisitions may be common, but they’re not without risk, especially when it comes to cybersecurity risk. As cyberattacks increase in frequency and sophistication, the last thing any parent company wants to discover is that they’ve inherited mismanaged or unmanaged assets.
Yet, assessing the scope of potential risk can be a tall order. An M&A transaction often involves the significant expansion of a company’s owned and associated internet-facing assets (those which make up an attack surface). These assets, if unmanaged, poorly managed, or simply unknown, represent potential security vulnerabilities and points of entry for threat actors. Which is why companies engaged in M&A need to know: What internet-facing assets from this partner or acquisition would be associated with our company? What about those of their partners and vendors? How well are those assets currently protected, and if vulnerabilities exist, what level of risk do they pose to us?
To effectively answer these questions, gaining full visibility into all associated attack surfaces from the outset is key.
Companies Recognize the Need for Cyber Risk Assessment
Forty percent of acquiring companies who completed M&A activity say they found a cybersecurity issue after integrating with an acquired company. Companies know the risk is real, and it explains why Gartner predicts that by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements. Research included as part of the Censys 2022 State of Risk and Remediation Report showed similar prioritization; almost three-fourths of respondents indicated that a focus on cybersecurity when acquiring another company was “very important.”
Additionally, 88% of respondents of the same survey said that they investigate an acquiree’s cyber exposure, including through partners/vendors.
How have companies involved in M&A typically gone about assessing cybersecurity risk? Vulnerability testing has been a primary strategy, but only 40% of respondents say they conduct the vulnerability management testing on acquirees’ attack surfaces themselves. Five percent request vulnerability testing, but acknowledge they may or may not receive it.
The reality is that for a company to cover their bases and truly guard against inherited cybersecurity risk, risks need to be identified or disclosed up front. Discovery at the integration stage can be too little, too late. Additionally, companies need full visibility into all of the assets that are associated with a potential partner or acquired company – which includes assets that may not even be known to partners themselves. A vulnerability scan may detect risks on assets that are known, but not those that aren’t. At Censys, we’ve found that 30-80% of assets within an attack surface can be unknown to an organization. An acquiree may think they’re disclosing all of their known assets and risks, but unknown entities likely still remain.
Due Diligence with Exposure Management
This is where Exposure Management solutions like Censys can play a pivotal role, by offering the essential up-front visibility that companies involved in M&A need to understand the true extent of potential risk. The right Exposure Management solution can provide continuous, automated monitoring, discovery, inventory, classification, and prioritization of internet-facing assets, and it can do so before companies sign on the dotted line.
With an Exposure Management solution, a company involved in M&A can:
Gain a comprehensive, real-time view of attack surfaces: Mergers and acquisitions often have long runways to final contract. That means the vulnerability report that an acquiree initially provides may be outdated by the time your team looks to make its final risk assessment. A real-time view of attack surfaces, using an Exposure Management tool like Censys Attack Surface Management, provides the updated, 360-degree visibility you need to understand present-day risk.
Automate asset discovery and assessment to free up internal resources: The work that goes into an M&A transaction can stretch even the most seasoned teams thin, with assessment efforts subject to human error and oversight. Rather than invest significant time and effort into a point-in-time asset discovery and assessment process that relies on manual approaches and disparate tools, an Exposure Management solution provides the kind of automated, continuous discovery that frees up internal resources while ensuring full, reliable attack surface visibility.
Understand levels of risk: In addition to gaining a complete picture of a partner or acquiree’s attack surface, an Exposure Management solution can also provide context into the severity of risks uncovered, and include recommendations for remediation. Censys identifies hundreds of risk categories within its Attack Surface Management solution, including misconfigurations, exposures, vulnerabilities, and evidence of compromise.
Act before the ink dries: The ability to accomplish all of the above brings us to the culminating benefit of Exposure Management: truly understanding potential risk – and acting accordingly – before any contract is signed. An important piece keep in mind here: look for an Exposure Management solution that enables you to assess attack surfaces prior to integration with other systems.
With the upfront visibility and automation gained through Exposure Management, companies can more completely and accurately assess the cybersecurity risk that M&A activity may pose, and in turn, make more informed decisions to protect what they own.
Interested in learning more about how Censys can support M&A activity?
Request a demo today!