In 2018, when exposed that unauthorized cybercriminals had been accessing millions of Starwood’s guests’ data since 2014, Marriott had to bear the brunt of the breach. Why? Marriott acquired Starwood back in 2016, and while this meant inheriting more hotels, it also meant inheriting Starwood’s cyber risks. So, despite the attack being initiated two years before the acquisition, it was Marriott’s responsibility to accurately assess Starwood’s cyber posture prior to integration. Failure to do so means that any cyber incident that occurs post-acquisition falls on the acquiring company. This incident is one of many that demonstrate the cybersecurity blind spot of the Mergers and Acquisitions (M&A) process.
COVID-19 has had a financial impact on almost all organizations. While this has caused an overall decline in M&A, many companies were forced to merge with, or be acquired by, another enterprise to remain in business. Hence, the cybersecurity risks of M&A remain prevalent and are only going to increase as the world recovers (financially, physically, mentally, you name it) from COVID and begins to engage in more M&A.
Attack Study – Merger and Acquisition Cybersecurity Risks
A report on the cybersecurity risks of M&A by Forescout showed that 62% of organizations agree that they face significant cybersecurity risks when acquiring new companies and that cyber risk is the greatest concern following the acquisition. For the former, cyber risks increase during the process as data and money are being transferred, which puts them in a more vulnerable position to be stolen by malicious cyber actors. More than half of acquiring companies experience a critical cybersecurity issue or incident during the M&A process. As for the latter, any cybersecurity risk associated with the target enterprise (the one being acquired) becomes the responsibility of the acquiring company. Enterprises need to know what they are acquiring – it is not only the company and its products/services but a myriad of other aspects, including cyber risks. Hence, the acquiring company must perform a comprehensive cyber assessment on the target company before integration to account for any cyber risks and to take the necessary actions to mitigate such risks (cyber insurance). However, enterprises struggle with a lack of device visibility meaning that both parties struggle to gather the necessary information for an accurate and comprehensive cyber assessment.
The importance of cybersecurity during M&A deals is increasing. According to Gartner, by 2022 60% of organizations will consider cybersecurity posture a critical factor in their due diligence process. Additionally, Forescout’s report highlighted that the second most significant factor when performing due diligence on M&A targets is the history of their cybersecurity incidents. However, eight in ten organizations discover a previously unknown or undisclosed cyber-related issue following integration, with a lack of asset visibility often being the cause of the former. Those which do get detected may be inaccurately assessed based on incomplete information due to a lack of asset visibility. For example, a data breach could be incorrectly attributed to a phishing email when it was in fact caused by a Rogue Device that went under the radar of security tools. If you do not know it is there, how would you know it caused an attack?
HAC-1
Sepio’s Hardware Access Control solution (HAC-1) provides a panacea to the gap in device visibility. As the leader in Rogue Device Mitigation, Sepio’s solution identifies, detects, and handles all peripherals; no device goes unmanaged. This allows for a complete inventory of all IT, IoT, and OT assets operating on both USB and network interfaces. There is no longer the risk of certain assets going unassessed or missed during inventory. Furthermore, HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known-to-be-vulnerable devices through its extensive built-in threat intelligence database. In doing so, HAC-1 not only detects all managed, unmanaged, and hidden devices operating within the enterprise’s infrastructure, but also reveals devices’ true identity. As such, HAC-1 automates a thorough cyber assessment that continues throughout the entire M&A process. Moreover, the comprehensive policy enforcement mechanism recommends best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware. So, whether the device is present prior to the M&A process, or it is inserted during it, HAC-1 provides organizations with constant, real-time protection that does not just stop post-acquisition. We will be there as long as you will have us; and we are confident you will want us long after the M&A process is over.
