Mergers and Acquisitions: Cybersecurity Due Diligence

April 18, 2016

| | Executive Viewpoint

The year 2015 marked the highest ever value of mergers & acquisitions with an astounding $4.6 trillion.

 

If 2016 follows this trajectory, we’re looking at over 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding $50B.

 

With figures this staggering, you can’t afford to take on a partner organization without exploring ALL areas of risk – financial calculations can no longer be the only factor considered.

 

Whether you’re a larger company acquiring a niche business that may be outside the scope of your current client offerings, or a smaller company partnering with another organization to expand your footprint, you must be vigilant in taking security precautions prior to the merger.

 

To that end, CrowdStrike has established a process to fully vet a target company’s systems, data, and environment to assess and protect those valuable assets being acquired. Regardless of the type of industry, when companies make an acquisition, they are essentially investing in the intellectual property and R&D of the proposed partner organization.

 

Typically, there are few individuals at the buyer corporation who truly understand the network systems they’re about to purchase, which contain the valuable IP they’re acquiring.

 

The integrity of this data MUST be assessed prior to the purchase – and the team assessing it MUST be able to provide a level of scrutiny that ensures all areas are fully evaluated, diagnosed, and proved secure. I equate it to buying a home, which is usually the biggest personal investment one makes.

 

Your realtor is there to protect you and, with the inspector, asks the important questions that likely won’t come up during your house hunting.

 

Are there structural problems with the house?

 

What about termites?

 

Is this home in a flood plain?

 

What’s the condition of the electrical and plumbing systems?

 

Similarly, a substantial business investment often occurs with an M&A event.

 

 

You wouldn’t make that home purchase without the inspection; why, then, would you accept less vigilance when it comes to your business? CrowdStrike’s Services Team thoroughly explores the critical security questions for companies, and avoids introducing unnecessary risk to an organization prior to a merger.

 

By performing a comprehensive assessment, we identify the gaps in the partner organization’s security posture and develop ways to solidify it before integration with your brand occurs.

 

In addition to a comprehensive technical evaluation, this assessment encompasses an examination of security documentation, a review of IT processes, and interviews of key staff to understand where on their list of priorities cybersecurity falls.

 

We provide the full picture of what’s being acquired – network, systems unique to that company, intrusion detection controls (or lack thereof), and employee mindset to security – before the deal has been consummated. Some questions we explore include:

  • Are there vulnerabilities in the partner organization that could be exploited to access your systems?
  • How secure will the organizations’ data be during the integration process?
  • Has their network been compromised in advance of the merger?
  • What security risks are there in merging your environment with theirs?
  • Does their organization have the same level of security controls in place that meet the standards of yours, even if you’re not absorbing their technological resources?

I realize every organization, every M&A, and every security setup is unique.

 

We’re not a “one size fits all” operation and recognize that our assessment must be customized to meet specific needs.

 

I can’t stress enough that addressing the threats to an organization and those that you’re in the process of acquiring is critical before hitching your company’s livelihood to another’s wagon. In order to provide the best protection for your most valuable assets, we give you recommendations on how to prioritize resources based on the actual risk, an implementation plan of effective detection measures, and a comprehensive security strategy to actually prevent damage.

 

Throughout my previous law enforcement career, I saw time and again that the nominal cost of being proactive and predictive about security saved significant time and money in the long run…underscoring, bolding and italicizing the word ‘significant’.

 

It’s ALWAYS harder and more expensive to react to something than preventing it from happening in the first place. Before the M&A process begins, CrowdStrike evaluates the client and third-party environments for signs of current or past compromise by deploying Falcon Host to gain further visibility into endpoint activity in near real-time. Falcon Forensics Collector is also used to gather system metadata and artifacts for analysis, and network-based monitoring tools are applied to information egress points to gain visibility into potentially malicious traffic entering and exiting the networks. Finally, as part of the Cybersecurity Maturity Assessment framework, Crowdstrike is able to draw upon a rich data set to provide a unique perspective in the form of a zero to five scale that generates a more detailed picture of an organization’s cybersecurity capabilities in comparison to organizations of a similar size and industry. Combined, CrowdStrike searches data from host systems for evidence of attacker activity and then collects, analyzes and creates a report of findings focusing on indicators of compromise related to known attacker tools. Click here to find more information about the new CrowdStrike Mergers and Acquisitions Cyber Risk Assessment Program.

Breaches Stop Here