Spot Cyber & IT Challenges Through Improved Due Diligence
By Mark Herndon, Chairman, M&A Leadership Council
Cybersecurity and IT due diligence has become one of the most challenging, and also one of the most critical areas of due diligence in any environment. The risks of brand damage, customer churn, and substantial costs have brought this topic to the forefront in many recent M&A Leadership Council workshops. We recently had a chance to discuss cybersecurity and IT due diligence with M&A Leadership Council’s presenters at our various events, and we are pleased to share portions of this discussion with you below.
Providing their deep subject expertise and practical insights are two Senior Advisors from the M&A Partners IT and Cybersecurity Practice, Anna Sherony and Mark Dickelman.
MH: IT M&A leaders often talk about adding more strategic value throughout the M&A lifecycle for both corporate development and the enterprise integration lead. Tell us more about that.
Mark Dickelman (MD): Start by understanding the value proposition of the deal itself. What is the business trying to accomplish? Frankly, deal leaders are not likely thinking much about core IT at this point in the deal, so IT leaders often need to walk a mile in their shoes to fully understand the business, then determine the full range of potential diligence and integration issues that will be essential to consider and prepare for. Also, I find it’s helpful to remind deal leaders and business sponsors that every organization has a different definition of what is traditionally called IT, for example, core platform, shared services, network, infrastructure, applications, data, security, etc. To be more strategic, IT needs to be able to address all forms of technology, both services oriented, external product and solutions-oriented technologies. All businesses need to be digital businesses these days. So that becomes a very important scope item for IT. Specifically, what are the digital assets, what is the target’s digital maturity, and what needs, risks and costs might there be in migrating or upgrading those capabilities as needed.
MH: Anna, how would you advise a company’s CISO to engage corporate development early in the strategic development and target selection process?
Anna Sherony (AS): Start by searching publicly available information on the target company before launching formal due diligence. Define your search criteria to crucial elements such as known data breaches; warning letters from regulatory agencies such as the FDA, GDPR; and check various social media sites. We also recommend you do a dark web search for target company credentials, usernames, passwords, personal information, confidential documents, customer information, account numbers, and social security numbers, to name a few. We also believe it is vital to engage third parties to obtain a security risk assessment. You must use a measure of caution here based on how the risk score was determined and which IPs are scanned, but this type of scan often will reveal things like lack of patching, lack of secure coding practices, and the like. One other word of caution on this. Don’t just pick an automated tool to do this. The vendor should also blend the scan data with human subject expertise to ensure complete and accurate results.
MH: We often talk about due diligence findings in three successive phases. First, true deal-stop or red-flag issues. Second, impact to deal valuation or terms. And finally, integration issues, risks and opportunities. I’d like to ask each of you to highlight one or two key areas to look at from the IT and cybersecurity viewpoint in those three key due diligence findings categories.
AS: An excellent example of a deal-stop finding is basic IT or security collaterals. For instance, if the target has difficulty producing a network diagram, it is game over! More typical, though, would be finding a substantial lack of security controls or non-compliance that will require extensive resources and cost to bring them to a defensible security posture and compliance. It goes beyond the current state findings though, and goes straight to important strategic implications for the deal. A lax security environment presents strong evidence that bad actors have already been in the target company network, and due to weak or nonexistent monitoring, it may be impossible to confirm the bad actor's activity. These go/no-go examples are more common than many non-security professionals may think.
Concerning valuation or deal terms, the earlier you detect a breach or a strong possibility of a breach, the better so you can help corporate development decide how best to address the issues. That could result in renegotiating the letter of intent or purchase price in the definitive agreement. It almost certainly would impact the liability section of the purchase agreement along with reps, warranties and, insurance requirements.
Let us go to a positive example, perhaps for integration-related findings. If your target company’s security posture is highly mature and effective, there are often some important practices, solutions and insights the buyer can adopt post-close. For example, data leak prevention (DLP) programs are often hard to do. If you are fortunate to be acquiring a target with a strong DLP program, leverage it.
MD: I’ll tackle that question from a more holistic IT due diligence lens. An example of a significant go/no-go issue, especially prevalent in carve-outs and other asset purchases, is as simple as quickly defining what’s in and what’s not in the asset purchase. For example, we supported a carve-out acquisition for a Fortune 50 energy sector client recently, where the business to be carved out was the large, regional field operation that stretched across half of the United States, but no IT assets and no IT people were initially included in the asset list. It was a hedge to protect corporate IT resources, infrastructure, and assets, but from a deal perspective, it made it not only uneconomic but impractical to continue unless appropriate IT resources and assets were included. Again, my initial advice is to focus first on the issues from a corporate development perspective versus from a pure technology perspective to get at the key issues to valuation. Discover the “four corners” of the deal from a business as well as a technology perspective. What’s in, what’s out – to try to get as clear an understanding of that as possible.
MH: Let’s consider a large public-to-public company acquisition that announced the deal on definitive agreement but may have several weeks or months prior to closing. In this case, the target company you’re acquiring may be perceived as a “soft target” from a cybersecurity standpoint as a potential “back door” into the acquiring organization. What should the parties do?
MD: That’s an important question, and it is dead-on. IT and cybersecurity have an important ongoing role in the pre-close process. Change control, change management, overall governance, problem management, issue escalation are all things which are critical and need to be tightly run as the deal progresses. We need to make sure that the business we are acquiring does not change from our assumptions or assessments in significant ways. The only way to do that is to have a tight process around changes and activities running in the business. Correlated with that, M&A transactions are the “witches brew” of perfect risks for social engineering. You have email changes, announcements coming out, people who are hungry for information and, as a result, there are real risks that are included now. You need to manage those proactively. Communication is vital and problems do not age well. Escalations need to be crisp, rapid and, to the decision-makers when we’re in this sort of transitionary phase.
AS: I agree with that, especially the social engineering risks. One of the things you need to do is train your users because they’re going to be phished -- make sure you have your security awareness up to speed for all users so they are aware of the current risks you’ll be facing. Make sure you have a clear understanding of daily reports you require and notifications you need to be a part of. Such as receiving daily security and control reports and help-desk tickets related to cybersecurity issues. You need to be a part of the Incident Response (IR) Team notifications and events because you need to get ahead of any potential issues. You need to know the target company’s cyber insurance policy and actions that need to be taken in case of an event such as a ransomware attack.
MH: Going into due diligence should we just adopt the viewpoint that the Target Company has already been hacked / breached and they just don’t know it yet?
AS: Yes, Marriott is a perfect example. Although Marriott later found out that the intrusion went undetected for four years before acquiring Starwood, they still had to pay more than $120 million to the U.K. Information Commissioner's Office for violating GDPR. As a general rule, I think it is better to start with the assumption that the target has been hacked, then conduct a very thorough due diligence to verify to what extent as well as to test the target’s policies, data and, overall cyber maturity level. Executives and corporate development professionals should be aware that hackers and nation-state hackers are proactively monitoring M&A activities and, that automatically raises the risks.
MH: If your target company is currently moving their IT to the Cloud – what are some due diligence best practices and insights for helping assess risks and post-close integration challenges?
MD: That is a common scenario as most organizations are already in the cloud and likely migrating more over time. What we look for initially is how well do they understand their program and how tight are their governance and processes over it? As a buyer, you want to make sure it’s very tightly managed and understood. We want to make sure that system process and governances are in place, but also keep in mind the potential for data exposure. We recently heard of a situation in which 150 million customers of a financial organization had account information made publicly available. It turned out that an individual department was loading data into a third-party cloud solution for running analytics and testing and didn’t involve the appropriate core governance, security and, change controls. One of the things that have come up in terms of exposure, unrelated to M&A, but it certainly comes in during M&A, is to make sure your executive team and general counsel know what to do if they get a call from the FBI regarding cybersecurity, fraud or a data leak.
MH: What should an acquirer do if the Target Company is hit with a Ransomware attack prior to deal closing?
AS: You need to be prepared, as I mentioned before with cybersecurity insurance, you have to understand who is covered. Is it your coverage? Is it the target company’s coverage? Do you need additional coverage between the announcement of a definitive agreement and deal closing? Also, understanding their Incident Response Plans is very important and making sure that your team is trained on their Incident Response and identifying any gaps in that. You are required to react quickly, and there are a lot of decisions that must be made BEFORE you get hit with the ransomware attack.
About the Guest Panelists
Anna Sherony is a Senior cybersecurity and privacy expert; she serves as Partner with Fortium Partners and as Senior Advisor to M&A Partners. She has more than 16 years of C-level experience as a security and privacy consultant, strategist and systems implementer for large institutions in the financial services, insurance, health care and pharmaceuticals sectors.
Prior to that, Anna served as the CSO/CPO for the $48B Sammons Financial Group, where she was responsible for the company’s information security, as well as privacy assurance strategy, architecture and global oversight; including mainframe, distributed and infrastructure-based systems.
Mark Dickelman brings over 20 years of executive leadership in information technology, payments and financial services. Mr. Dickelman brings a wealth of hands-on expertise for a range of M&A scenarios. Having led turnarounds, numerous due diligence assignments, numerous acquisition rationalization and integration projects, divestitures, JV dissolution and leading creation of mobile technology company culminating in the largest IPO in the history of the Toronto Stock Exchange.
Prior to joining M&A Partners, Mr. Dickelman headed Innovation, Research & Development for U.S. Bank. Previously as CIO of JPMorgan-U.S. Bank payments joint venture, where he was responsible for development and operations of highly secure payment systems. He also served as a member of the U.S. Secret Service Electronic Crimes Task Force.