Cybersecurity should be a concern and investment for every company. But there is a special time when risks are even higher – during mergers and acquisitions. According to Carousel Industries of North America Inc. Chief Information Security Officer Jason Albuquerque, these transactions set up a perfect storm of sorts, which requires action early in the process.
PBN: How common is it to have cybersecurity issues or breaches when two companies merge, or when one acquires another?
ALBUQUERQUE: When diverse sets of people, process and technologies are integrated and the company expands, the security risk increases. And naturally, the more high-profile the merger or acquisition, the greater the risk. Cyberattackers may target these companies, knowing that operational and technology changes create vulnerabilities.
Acquired companies may also become a target, because often the acquiring company neglects to maintain the legacy network to the same level of diligence. This creates a ripe environment for attackers to compromise the acquiring entity through the acquired organization.
PBN: What industries could be at greatest risk in this area?
ALBUQUERQUE: No industry is safe from a cyberattack. But based on preliminary breach statistics for the first half of 2018, it is clear which industries are most frequently being targeted. Social-media technology organizations had the highest number of compromised records, at 2.5 billion.
The industrial sector witnessed the highest growth rate in compromised records of all industries while health care companies experienced the greatest amount of security events among all of the industries.
Finally, for professional-services organizations, the sum of compromised records and number of incidents increased significantly over the past year.
PBN: Is a company’s chief information security officer the best person to size up the cybersecurity risks in an M&A, in your experience?
ALBUQUERQUE: What is most critical is not which department the leader works in but that the organization has identified and empowered the right person to asses these risks. An individual with the right security, compliance and business skills, along with the experience of an M&A process, is the ideal scenario. This person could be internal or contracted from outside of your organization. However, if an organization hires external cybersecurity talent to evaluate risk when the M&A process is pending, it’s too late.
PBN: How should a company proceed in this arena, if it plans to merge with or acquire another firm?
ALBUQUERQUE: Cybersecurity has been an afterthought. … Organizations have viewed cybersecurity as solely an [information technology] function more focused on connecting and integrating the two merging organizations.
Today, cybersecurity is a business imperative and truly a national security issue. Organizations involved in M&A should undertake core activities to better inform leaders and boards of cybersecurity and compliance risks during this process.
- Start with early communication, allowing proper time to plan for and perform the critical security and compliance due-diligence activities.
- Conduct a brand-exposure analysis to understand previous breaches or any existing exposures to the network, company data, credentials or intellectual property “in the wild.”
- Perform a comprehensive IT asset discovery to better understand the synergies and differences between the organizations’ technologies and infrastructure. This allows for more accurate prediction of future risk mitigation and investment needs.
- Assess all supply-chain and third-party vendor risk, relationships and data-sharing agreements, as third-party organizations can be a massive blind spot to companies’ risk exposure.
- Consider outside help from an independent cybersecurity assessment firm to evaluate the target organization and report back on its cyber-resilience maturity level.
PBN: Do hackers pay attention to company transactions such as this, and plan attacks accordingly?
ALBUQUERQUE: Absolutely. Cyberattackers are opportunistic in nature. Any organizations that handle sensitive data … are attractive targets for cybercriminals. A merger or acquisition – especially one that is heavily publicized – becomes that “bat signal,” a beacon inviting cybercriminals to test the waters for any vulnerabilities that they can find and exploit.
Susan Shalhoub is a PBN contributing writer.