Managing Risk During an M&A
Build cybersecurity due diligence processes into your M&A strategy to protect your organization against security risks
A merger or acquisition can introduce security risks, sometimes years after the transaction is finalized. In the case of Marriott International’s acquisition of Starwood Hotels & Resorts, it took two years for Marriott to discover that there had been unauthorized access to Starwood’s guest reservation database, with breaches occurring since 2014. The security breach exposed the personal information of 383 million customers and has cost Marriott $72 million to date, with additional costs expected.
During an M&A, ensuring that proper security procedures are in place often gets overlooked, as was the case in the Starwood acquisition. Adding cybersecurity risk assessment as part of your M&A due diligence is critical to protect your organization. Here are some steps to consider.
Leadership Support for Due Diligence During M&A
Support in the form of an organization-wide policy from senior management is critical when developing a cybersecurity due diligence program. Once the policy is approved, ensure that appropriate resources and budget are available for the program.
During the M&A process, leadership must emphasize to both organizations the importance of cybersecurity due diligence, making it clear this step must be completed before the close of the transaction.Â
Data Mapping
Data mapping can help you identify data handling processes and controls that may need to be strengthened and/or opportunities to anonymize or delete sensitive data. Interviews and/or questionnaires can help you quickly identify how and where the target company processes, transmits and/or stores sensitive data (e.g. PII, credit card numbers, health information) and how that data is protected and regulated, depending on the industry. It’s important to understand how sensitive data comes in to the target company, moves throughout the company, and whether or not data is sent to third parties.
Cybersecurity Practices Questionnaire
Require the target company to complete a short questionnaire (ideally 50 questions or less) detailing their cybersecurity best practices. The Center for Internet Security’s Critical Security Controls (CIS CSC) is a good example. The questionnaire is a quick and effective way to discover how mature the target company’s cybersecurity practices are and whether there are major risks such as stored sensitive data not being encrypted. The questionnaire also gives you the chance to identify areas where you might need to follow up or dig more deeply.
Focus on critical cybersecurity controls such as encryption of stored sensitive data, system patching, privilege management and logging. Ask whether the target company has experienced any recent security breaches, if the company’s cybersecurity program is based on a best practices framework (e.g., CIS CSC, NIST, CSF) and to identify all third parties such as MSSPs that provide cybersecurity services.
If the target company has had a recent third-party assessment of their cybersecurity practices (e.g., SSAE18, PCI DSS), request the full assessment report and review it thoroughly. Such assessments are performed by third-party experts and their reports are full of useful information.
Risk-Scoring Tool
Develop a risk-scoring tool to quantify the target company’s level of cybersecurity risk (high, medium, low), per the results of their data mapping and cybersecurity questionnaire. A typical approach is to assign scores (1, 2, 3) to specific questionnaire responses and data mapping findings, then combine all the individual scores into an overall cybersecurity risk score.
Base the tool on the factors that are most important and relevant to your organization, such as how much sensitive data is stored at the target company, whether the company has had a recent security breach or whether it sends sensitive data to third parties, for example. The tool is an easy to use and effective way to communicate to your senior management the cybersecurity risk of the target company.
There’s an inherent risk with any M&A transaction and creating a merger and acquisition cybersecurity due diligence program requires time and effort. But in the long run, it’s a great way to reduce your cybersecurity risk, helping to minimize the chance of post-transaction security breaches.
— Steve Weil
