The days before announcing an acquisition are heady ones. Your functional diligence teams, along with lawyers, bankers and often consultants, are scrambling through mountains of information provided by the target, getting ready for a “go/no-go” scenario rivaling any NASA launch. The cybersecurity team is a relatively new but very important player in the process. But this team often needs to engage in a different manner, so as not to miss some of the most costly and reputation-destroying issues which are harder to surface than traditional M&A threats.
According to a Forbes article, “40% of acquiring companies engaged in a merger and acquisition transaction said they discovered a cybersecurity problem during the post-acquisition integration of the acquired company.” Why is this? While M&A transactions continue to increase in volume and size, they’ve also become more complicated, particularly as organizations embrace digital transformation and globalization. Additionally, security practitioners are often left out of the diligence process despite being responsible for the downside risk post-deal.
Several large acquisitions have been stalled by data breaches from exploited assets that were discoverable pre-transaction but only made known after announcement. Today, it’s essential that companies making acquisitions understand the target’s external, internet-exposed assets by becoming more aware of their external attack surface.
Let’s dive into the top five reasons acquirers should run an attack surface report before, during and after an acquisition.
Reason #1: Cybersecurity due diligence is still evolving and requires analyzing data differently than other types of due diligence.
Many acquirers and their advisors (typically law firms and investment banks) still use outdated due diligence processes – antiquated and static information request lists that often focus on privacy, policies, compliance and history of prior incidents. These lists often do little to help the buyer understand the target’s current cybersecurity readiness. Corporate security teams are still relatively new, and their influence has not yet been fully realized in the diligence process.
Cybersecurity diligence requests focus on what the seller knows and are often questionnaires tailored to the three P’s (People, Policies & Procedures):
- Identification and location of sensitive data, and compliance around gathering and storing that data
- Understanding of information system security tech stack
- Adequacy of cybersecurity people, policies and procedures
- Prior incidents and recovery plans
This information provides little insight to evaluate risks, exposures, vulnerabilities and misconfigurations on the target’s network. Penetration testing and/or third-party risk tools are often used to address these areas. However, penetration testing is often done after an acquisition is announced, as it can be very disruptive pre-transaction, especially to the unknowing sec-ops team. And while pen tests and third-party risk tools are crucial to test systems and tools, they often only look at a sample of the target’s network, with limited breadth and depth of the entire attack surface.
Third-party risk tools are not “good enough” as they often rely on inaccurate, limited or out-of-date information. Running Censys ASM gives you a complete internet-exposed asset inventory along with all associated cyber risks and insights, and can be done at any time without disruption.
Reason #2: Diligence teams, on both sides, are relatively small and top-heavy compared to integration teams.
In order to protect deal confidentiality, diligence teams are often made up of senior leaders from different departments. But that’s it – often only one or two from each department. This is because of the absolute need for confidentiality above all else during the M&A process.
These leaders aren’t often in the “mix” of everyday operations of the company. Their limited practitioner capacity leads to a lack of understanding into the true status of the security operations and its needs. The CISO is highly incentivized to get the job done, and wants to be accurate, but they don’t know every day-to-day detail their team knows.
READ: Forrester’s Find And Cover Your Assets With Attack Surface Management
The CISO also knows that when this acquisition is complete, they’re likely to be made redundant. After the acquisition, the CISO may be on to their next gig and is no longer available to answer questions regarding the company’s security posture. The integration team now has a big task ahead of them in securing the issues they should have been alerted to earlier.
One of the benefits of running an attack surface report is that it can be done by the acquirer at any point in the process without input from or disruption to the target (whether or not the CISO is still around).
Reason #3: Legal teams who manage cyber risk often only focus on data privacy and compliance.
Cyber risk due diligence is often managed by legal teams, who focus on data privacy compliance. In addition, a few senior security operation leaders might examine cybersecurity risk information processes and systems provided by the target in order to document the overall cybersecurity program effectiveness and readiness (risk management, controls, protection, detection, data privacy, etc.).
These leaders and lawyers are often focused on previous breaches, incidents and the compliance and liability around past actions. They’re looking backwards at past performance and assuming it is indicative of current status. Often missed are unknown or unmanaged assets, which the acquirer will unwittingly inherit as a compromised network.
Don’t assume the seller knows everything. You should always be analyzing the external attack surface of the company you are acquiring.
Reason #4: Leaders at the company being acquired are often reluctant to share negative information about their departments.
Let’s face it, no one wants to look bad in front of a new owner or boss. When the CISO is sharing what details they do know about their department, they’re focusing on the best parts of it. They don’t want to be the reason this merger or acquisition fails.
Additionally, lawyers and bankers counsel sellers to simply supply only the data requested, or answer the questions asked, as courts have put the onus on buyers to complete an effective due diligence.
In the history of the Delaware Chancery Court, only one case (Akorn 2018) was decided in favor of an acquirer, allowing them to terminate a merger after signing and announcing a definitive agreement for a Material Adverse Change, where the target did not provide full and adequate disclosure.
Once you announce an acquisition, it’s most likely yours to keep – for better or for worse.
Reason #5: Threat actors are monitoring acquisitions and will immediately look for vulnerabilities to exploit right after announcement.
The plain truth is that security teams are constantly pivoting to protect their organizations. And threat actors only have to get it right once. Even better, they know that a company is at its most vulnerable right after an acquisition announcement.
According to PWC, this is a period rife with opportunity for hackers:
“An acquisition that has existing cyber vulnerabilities can be used by threat actors to obtain access to the acquiring company as the integration progresses. The period between a deal’s announcement and closing is of particular exposure if vulnerabilities exist, given the heightened awareness and opportunity. That potential can raise anxiety among stakeholders—including investors, shareholders, customers, employees and suppliers—bringing further risk of disruption.” – When Cyber Threatens M&A, PWC US, 2018
After an acquisition announcement, both sides’ security teams are distracted by “me issues,” but attackers are more focused than ever. By continually running attack surface reporting during the entire period, both entities can come together as one, and quickly remediate any risks that arise.
Attack Surface Reports are essential during the M&A process
Securing an external attack surface is something that every company should be doing, no matter if there is an M&A in process or it’s just business as usual. Finding exposed assets on the internet is low-hanging fruit to threat actors. It’s easy to find for them and they will exploit that opportunity.
Censys Attack Surface Management (ASM) continuously scans the internet searching for the unknown assets that pose the biggest risks to an organization. As the first tool on the market to do this – and the best – it empowers security teams to stay on top of their ever-expanding attack surfaces and find the risks before anyone else.
To learn more about Censys ASM, see it in action in our demo.
Demo ASM Now