This is Part 2 of our three-part blog series on the critical importance of cybersecurity in the M&A process. Part 1 addressed due diligence, and in this blog, we cover the pre-close phase.
The pre-close period of an M&A transaction typically lasts just 30 days — an extraordinarily brief period considering the incredible amount of work that goes into closing a deal.
During this period, cybersecurity is sometimes neglected or even outright overlooked, as the IT function considers bigger issues related to integration, divestment and maintenance. But this could prove to be a fatal error, as a breach occurring during the pre-close period could lead to significant operational, financial and reputational issues for both the buyer and seller. At the same time, preparations made during this time will certainly influence the success of the integration post-close.
Considerations During Pre-Close
Here we explore three cybersecurity considerations that every organization should address during pre-close in order to maintain network security and help prime the organization for post-close success.
1. Establish responsibility for the security agenda with a transition services agreement (TSA)
While global M&A activity has decreased dramatically in 2020, cyberattacks are up.
For instance, in a recent survey of the APJ region, CrowdStrike observed a 330% increase in eCrime activity in the first half of 2020 as compared to the same period in 2019. As such, it’s important to protect the health and security of the target organization. The question is, who takes responsibility for this activity?
One of the first items on the cybersecurity agenda during the pre-close phase is establishing a transition services agreement (TSA). This document outlines who will own and manage all aspects of the target company’s digital security plan, including proactive measures, such as prevention and monitoring services, as well as reactive efforts if and when an incident occurs. As part of this agreement, organizations should also outline any consequential risks identified during the due diligence phase and determine how to fill those gaps or otherwise strengthen defenses.
Buyers should be especially mindful of the need for a clear and comprehensive TSA, as they will ultimately bear the cost, financially and operationally, of resolving any incidents that occur during the pre-close phase. Also, since the terms of the deal have already been negotiated and agreed upon, any events that change the valuation of the target, such as data loss or theft, could significantly impact the value of the investment.
Finally, it’s important to examine the TSA within the context of the company’s insurance policies. Unfortunately, cybersecurity issues that may impact M&A activity often are not covered by warranty and indemnity (W&I) insurance, directors and operators (D&O) liability insurance, or even cybersecurity policies. In many cases, this is because the cyber risk was not assessed in the due diligence phase and was therefore excluded or not explicitly mentioned in such policies. If a full assessment has not been completed, buyers may be responsible for the cost of breaches occurring at this stage.
2. Confirm the health of the IT environment with a hygiene assessment
In Part 1 of this series, covering the critical role of cybersecurity due diligence in M&A activity, we discussed the importance of conducting a compromise assessment to identify known risks associated with the target company. The assessment identifies any past or current threat activity. The focus of the assessment is to answer the question: “Has the organization we are acquiring been breached?” In addition to a compromise assessment, it should also be determined if the organization has good IT hygiene practices.
An IT hygiene assessment is typically the first step in maintaining a healthy network. Like the compromise assessment, it will identify points of concern, such as unprotected devices on the network, unpatched systems and other vulnerabilities that could be exploited by a threat actor. However, it will take the process a step further, helping the organization analyze the situation and interpret the data in order to prioritize vulnerabilities and determine an appropriate response.
An organization that shows multiple instances of past threat activity during a compromise assessment, and poor IT hygiene practices during a hygiene assessment, has an increased risk profile, which should be clearly understood before closing the deal and integrating the networks.
For example, cybersecurity professionals may note that the IT function uses multiple antivirus vendors. This is purely an observation, which may have little meaning to the buyer. The hygiene assessment will go a step further, helping the organization understand what implications this has for the business and how significant of an issue it is.
In this case, does having more than one vendor strengthen security, or does it make the task of managing security and detections more complex and therefore less effective? The cybersecurity assessment team will also take any necessary steps to address and resolve the issue, assuming it is a priority for the organization.
3. Preserve the health and hygiene of the network with comprehensive monitoring, response and remediation tools and services
Cybersecurity is a universal, ongoing concern. Every organization faces the risk of a breach — and network health and hygiene can change from day to day. For organizations involved in M&A activity, each company’s risk essentially doubles overnight since network integration will expose each organization to threats originating with the other.
Companies must adopt a holistic security strategy that incorporates a variety of endpoint monitoring, detection and response capabilities to ensure the safety of their network. Similar to the hygiene assessment, analysis and interpretation play a big role in this activity. Organizations face risks all the time — the key is knowing which to prioritize and how to remediate the threat with minimal disruption to the business. As such, most organizations should leverage both a comprehensive cybersecurity toolset, as well as on-call resources to help analyze events and respond to them.
One way to achieve immediate security maturity is via a managed service such as CrowdStrike® Falcon Complete™. Falcon Complete is CrowdStrike’s endpoint protection solution delivered as a managed detection and response service that utilizes both the expertise of CrowdStrike Services threat hunters and the power of the CrowdStrike Falcon® platform to detect and respond to threats present in a customer’s environment.
Falcon Complete provides 24/7 hands-on management and optimization of the endpoint security environment, ensuring that cybersecurity matters are handled professionally throughout the pre-close period. The Falcon Complete team of expert analysts automatically detects and intelligently prioritizes malicious and attacker activity and helps organizations respond quickly to contain, investigate and remediate compromised systems. Our services map to MITRE’s proprietary Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework, which helps clients understand even the most complex detections at a glance.
Making the Most of Pre-Close
Cost is often a big driver of decisions during the pre-close phase of the M&A lifecycle. Cybersecurity, which is often overlooked during this period, may not seem like a worthy investment, though the risk of ignoring this issue is both clear and substantial: Research such as the Ponemon 2020 Cost of a Data Breach report shows that 80% of breaches involved customer PII (personally identifiable information) with the average cost of a breach topping $3.86M. In addition, steps taken during pre-close will help set the organization up for a successful integration post-close. For both buyers and sellers, we recommend using these 30 days wisely to maintain a healthy investment today and establish a more secure one for tomorrow.