A merger or acquisition can introduce security risks to the acquiring organization – sometimes years after the transaction is finalized. In the case of the Marriott International acquisition of Starwood Hotels & Resorts, it took two years for Marriott to discover that there had been unauthorized access to Starwood’s guest reservation database, with breaches occurring since 2014. The security breach exposed the personal information of 383 million customers and has cost Marriott $72 million to date, with additional costs expected.
Thousands of mergers and acquisitions (M&A) take place each year – with approximately 49,000 transactions occurring worldwide in 2018.1 However, ensuring that proper security procedures are in place often gets overlooked, as was clearly the case in the Starwood acquisition.
Adding cybersecurity risk assessment as part of your M&A due diligence is critical to protect your organization.
Point B’s Approach
Point B has identified the four major components that a good due diligence program should include:
- Leadership support for cybersecurity due diligence
- Data mapping
- Quick assessment of cybersecurity practices
- A risk scoring tool which identifies and prioritize risks
Leadership support for due diligence
Support in the form of an organization-wide policy from senior management is critical when developing a cybersecurity due diligence program. Once the policy is approved, ensure that appropriate resources and budget are available for the program.
During the M&A process, leadership must emphasize to both organizations the importance of cybersecurity due diligence, making it clear this step must be completed before the close of the transaction.
Data mapping can help you identify data handling processes and controls that may need to be strengthened and/or opportunities to anonymize or delete sensitive data.
Interviews and/or questionnaires can help you quickly identify how and where the target company processes, transmits and/or stores sensitive data (e.g. personally identifiable information (PII), credit card numbers, health information), and how that data is protected and regulated, depending on the industry. It’s important to understand how sensitive data comes into the target company, moves throughout the company, and whether (or not) data is sent to third parties.
Cybersecurity practices questionnaire
Require the target company to complete a short questionnaire (ideally 50 questions or less) detailing their cybersecurity best practices (e.g. the Center for Internet Security’s Critical Security Controls [CIS CSC]). The questionnaire is a quick and effective way to discover how mature the target company’s cybersecurity practices are and whether there are major risks such as stored sensitive data not being encrypted. The questionnaire also gives you the chance to identify areas where you might need to follow up or dig more deeply.
Focus on critical cybersecurity controls such as encryption of stored sensitive data, system patching, privilege management and logging.
Ask whether the target company has experienced any recent security breaches, if the company’s cybersecurity program is based on a best practices framework (e.g. CIS CSC, National Institute of Standards and Technology Cybersecurity Framework [NIST CSF]), and to identify all third parties (e.g. MSSPs) that provide cybersecurity services.
If the target company has had a recent third-party assessment of their cybersecurity practices (e.g. SSAE18, PCI DSS), request the full assessment report and review it thoroughly. Such assessments are performed by third-party experts and their reports are full of useful information.
Develop a risk-scoring tool to quantify the target company’s level of cybersecurity risk (e.g. high, medium, low), per the results of their data mapping and cybersecurity questionnaire. A typical approach is to assign scores (e.g. 1, 2, 3) to specific questionnaire responses and data mapping findings, then combine all the individual scores into an overall cybersecurity risk score.
Base the tool on the factors that are most important and relevant to your organization (e.g. how much sensitive data is stored at the target company, whether the company has had a recent security breach or sends sensitive data to third parties).
The tool is an easy to use and effective way to clearly communicate to your senior management the cybersecurity risk of the target company.
The Bottom Line
There’s an inherent risk with any M&A transaction, and creating a merger and acquisition cybersecurity due diligence program requires time and effort. But, in the long run, it’s a great way for organizations to reduce their cybersecurity risk.