Important Cybersecurity Questions to Ask Before a Merger or Acquisition

A version of this article was previously published in the October 2019 edition of the Seattle Daily Journal of Commerce.

If you’re contemplating or preparing for a merger or acquisition (M&A), cybersecurity should be among your top concerns, ranking on par with legal and financial considerations.

In 2018, total merger values reached nearly $3.9 trillion and average deal size hit $384 million, according to Acuris. With such high value associated with these deals, unknown cybersecurity vulnerabilities could jeopardize the outcome.

Below are important questions to consider as a business owner, whether on the buy- or sell-side, before entering M&As.

Is it common to find security challenges or breaches during due diligence?

Absolutely. Without any information security digital due diligence, companies can discover woefully inadequate security protecting their potentially new assets. Some buyers have even uncovered previously unknown breaches of the acquired firm, with repercussions for which they may be liable.

It’s important for the buying company to address security as part of due diligence. This can help avoid potential financial consequences that weren’t taken into consideration when negotiating the original acquisition price. 

Where do you typically find issues?

They’re typically found in software, infrastructure and security control mechanisms. 

Historically, attackers have typically exploited weaknesses in perimeter security devices such as firewall and routers. These methods still happen frequently, but in 2017, website application source code security issues overtook network security vulnerabilities as the top attack vector, according to the Verizon Data Breach Incident Report (DBIR).

It’s an easier target for hackers because network or perimeter security measures are usually more mature than software security measures. These security vulnerabilities often exist in the actual source code of a company’s internet applications or software packages that the buyer intends to acquire.

Sellers also need to be concerned about unknown security problems. Vulnerabilities discovered on their end could reduce or delay payments until the depth of the problems are understood and vetted.

In general, a breach can be incredibly damaging to a business and result in direct financial theft, loss of customers’ personal information, stolen intellectual property, and endless lawsuits.

What else should you consider when buying a software product?

The most important element is to assess vulnerabilities at the source code level. If you’re transaction is just a product sale, the security of the company infrastructure may not be of high interest.

Here’s the process:

  • Map the attack surface of the target applications
  • Analyze how security is handled at data ingress and egress points
  • Test authentication and authorization components that provide log in and the scope of permitted access, calls to databases, and data collection fields
  • Discover known software vulnerabilities
  • Confirm that data is encrypted when in transit and at rest

Automated tools can quickly scan the software and typically identify about half the types of vulnerabilities that may be present. To get a full, comprehensive understanding of the security footprint of your website or application, combine the automated scan with a manual inspection of the source code. This can help identify additional security issues within the source code.

A business logic assessment (BLA) can also help discover built-in vulnerabilities that aren’t coding vulnerabilities per se, but still present risks due to as-designed application logic flaws.

Is there a foundational approach when buying a company?

Definitely. A defined security program is a must at any company, and when appropriately created, demonstrates how it supports the company’s needs.

Request a review of the security program to understand how thoroughly your target company worked to secure its assets. Here are the items to request and assess:

  • Data classification schema that drives data handling policies and procedures
  • Security assessment results that may be available
  • Incident response procedures and recent test results
  • User awareness efforts, especially as they relate to suspicious emails
  • Security organization and coordination of functional responsibilities

If a company operates within a compliance framework, it should be accustomed to providing security compliance reports. Examples of compliance frameworks include the General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standards (PCI DSS).

What if you’re buying a company that comes with IT infrastructure?

The IT infrastructure should be assessed as well. Networks and IT infrastructure are often the main targets for culprits attempting to infiltrate a company to steal information. At a minimum, automated tools should be used to perform a scan of networks, both internal and external, to identify vulnerabilities.

As with source code scanning, if these automated scans expose lax security within the target network, you may want to seek the services of security advisors who can perform a deeper dive. An advisor can help review firewall and server configurations and also look at the network architecture and its design to compare it to best security practices. 

What’s a worse-case-scenario look like if the infrastructure is breached?

The 2014 breach of Target is a telling example.

The retailer’s heating, ventilation, and air conditioning vendor was hacked. The vendor essentially had a trusted internet connection directly into the Target network. These environmental control functions could have been isolated separately within the network. Instead, inadequate segmentation in the Target network architecture allowed the culprits to gain access to the entire network. This breach resulted in nearly $300 million in damages.

Should you look at cybersecurity as a distinct issue or with a more holistic approach?

A holistic approach to cybersecurity can help any company overall. There’s added value when cybersecurity professionals have expertise across all aspects of information security—source code and website, infrastructure, and programmatic security. By having all these areas examined and secured simultaneously, you can move forward with a deal feeling confident that the necessary precautions have been taken.

Source code security is emerging as a hotspot for hackers, so those professionals in particular should have backgrounds in software development to understand how processes work. This allows them to hone in on vulnerabilities in the source code, determine how much risk they present to the company, and the level of effort needed to remediate them and then communicate with application developers. 

While automated tools are useful, an advisor’s analysis can help reduce any false positive security issues that tools call out as well as find vulnerabilities and vet them against real-world risk.

We’re Here to Help

Ultimately, you want to be able to move your transaction forward feeling confident that everything is secure. The goal is to focus on planning for the future of your combined business.

To learn more about how you can adequately assess your company’s cybersecurity standing prior to a deal, watch our two-minute video on application security or contact your Moss Adams professional.