[updated April 12, 2021]
You’re a cybersecurity leader at a growing company. [or information security leader — I’ll just say security from here on out]. You learn that your company is in conversations to acquire a smaller company, to include the people, products, and locations. What do you do?
You likely make a lot of mistakes…at least at first. M&A and security are oftentimes, not a top line consideration for executive teams. Yet, not considering the risk implications of integrating two companies, could lead to disastrous consequences. Consider if your IT team on-boarded a start-up 3rd party vendor that connects to much of your distributed network infrastructure, but neglected to identify that this vendor doesn’t have a dedicated security team. You now have inherited all the risk of that 3rd party, since their product is now integrated into your environment. Now, picture the similar scenario, but your company is integrating every piece of a companies fabric into yours.
ask all the questions
Do their employee desktops have basic endpoint protections?
Is multifactor authentication everywhere? Is it anywhere?
What are their highest priority risk items? How did those risks get scored and prioritized?
Who has access to production systems? How is least privilege determined?
What is their history with security incidents based on business email compromise?
This list can go on and on. Oftentimes, in a security leaders first M&A event, many of these (and many more) questions will go overlooked. All may be fine. Though, without creating a risk profile, you are merely rolling the dice, hoping not to inherit an active security incident (or worse, integrate an active security incident into your current environment).
create a plan, now
The time to draft a security M&A due diligence plan is now. Well, it should be a core document to have, alongside companywide security policies, incident response plan, and 3rd party risk assessment plan. In fact, if you have a 3rd party risk assessment process, you can borrow a large part of that plan/process to copy/paste into your security due diligence M&A plan. If you are wondering why, read this Ponemon Institute study from 2018, that states “59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties”. You need to think of your acquisitions, as you would a very sensitive third party.
Let’s get back to why you should have a plan at the ready. I have real-world examples of my own poor due diligence that allowed an undetected, actively exploited vulnerability of a company we acquired, to be integrated into our infrastructure, and allowed for pivoting from that environment into ours. There are also plenty of studies that highlight the time it takes to locate a sophisticated adversary in your network. FireEye’s 2020 M-Trends report provides some sobering numbers.
When you get your M&A due diligence plan in place, please consider the multiple stages of the event. (1) Pre-announcement, (2) acquisition, (3) Post-acquisition, (4) Integration.
Why creating an M&A Security plan (not dissimilar to a combination of a 3rd party risk assessment plan and an incident response plan) is critical to do in the early stages of a security leaders role.
….in the next update…
What should go in a plan, to start, and iterate on.
If you have a 3rd party vendor security assessment plan, may I suggest you make a clone of that plan, and rename it “M&A Security Due Diligence”? If you don’t have a 3rd party vendor security assessment plan, stop reading now, and focus on that. (Maybe I’ll write an article on that topic next…that would be a good linkable item).
The plan should have, at least three core sections titled: (1) Pre-acquisition Diligence, (2) Post-acquisition Diligence, (3) Integration Requirements.
With these three sections, create a checklist for each. There is a possibility that some of the checklist items will be “N/A”, though you should expect whomever is going to be your designated manager of the due diligence, should consider each item on the checklist as a “must have” requirement. (I do realize that it may very likely be you, the security leader, who is ultimately going to manage the security due diligence process. Though, as teams mature, you are likely going to want to have another team member be accountable for a due diligence project. More on that later).
How to prepare and staff for an acquisition, when they happen very infrequently.