The information security risk that a given company presents has been an often-overlooked element during the M&A process. However, that appears to be changing, and there are plenty of good reasons for the about-face in the evaluation of information security performance.
Fin4 is a hacker group that reportedly steals insider information to profit off of stocks just before mergers & acquisitions. The attackers, "use Wall Street language to convince industry professionals that its communications are legitimate."
Here are a few tips companies can follow to improve their information security due diligence efforts during an M&A deal.
Configuration comes first. Before delving into network issues, verify that the organization is following basic configuration hygiene: Does the potential acquisition have a properly configured SPF record? Do their domains have valid SSL certificates? Are they vulnerable to the Heartbleed bug? These important questions can reveal basic problems that may indicate much bigger issues under the surface.
Test & assess the network. Evaluate policies, procedures and technology to determine how seriously the target company has taken data security. Know where the company holds valuable information and how they are protecting it. What protections are in place to defend against an attack? What have they done to prevent future incidents? What is lurking in their network today? What level of risk has been outsourced and what are they insured against?
Look at past performance. Is the company more or less secure than it was this time last year? What factors are impacting effectiveness and can it be improved? The addition of historical performance data, as well as information about specific threats, incident response times and configuration details can provide context for the acquiring company about the overall security health of the organization.
Compare against peers. When looking at a potential acquisition, what can their industry and peers tell you about their general security performance? For one, it can immediately demonstrate whether they are above or below the average of similar companies when it comes to security. But perhaps even more importantly, looking at what common infections affect an industry or how long it takes peers to respond to security events can raise an important question: What security challenges face the potential acquisition and will we need to invest significant time and resources to bring them up to a reasonable level of security performance?
Don't stop with the network in front of you. Look at third party partners, suppliers, vendors and more. Because companies are only as secure as their respective weakest links, M&A teams need to extend their diligence into third party networks. In an acquisition, some relationships may be carried over and teams need to be sure that this component is not overlooked. It may take additional time and resources, but it's worth the extra effort to make sure you aren't buying into the next breached company.
How Some Companies are Already Managing Security Risk in Mergers & Acquisitions
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...