CFO

Why CFOs Must Calculate Security Risk During M&A

By Michael A. Davis
Dear CFO: Michael A. Davis

In short:

  • CFOs charged with due diligence need to pull in security experts. Not doing so can be costly
  • Smart sellers will self-assess well before it’s time to close a deal
  • There are telltale signs that a company is a ticking breach time bomb

In 2017, Verizon paid $350 million less for Yahoo than the original $4.8 billion negotiated price. That sweet 7% markdown came courtesy of revelations of a data breach that affected 1 billion Yahoo accounts. And, in addition to the discount, the divisions of Yahoo not sold to Verizon agreed to be responsible for 50% of certain cash liabilities incurred following the closing.

That’s a lot of potential exposure, but acceptance was necessary to keep the deal together.

So how did Yahoo fare? Two years later, the cost for the additional liabilities that arose as a result of non-SEC government investigations and third-party litigation related to the breaches totaled approximately $117.5 million.

As a CFO on the buy side, wouldn’t you like to tell the board you could reduce the purchase price of a target by 7% and potentially shed future liability? And conversely as a seller, you certainly want to make sure your price can’t be lowered for factors in your control.

While the Verizon Yahoo acquisition is a big, headline-making, public transaction, don’t mistake it as a fluke. Security frequently throws a wrench into private negotiations: More than half, 52%, of respondents to a 2017 survey of corporate and private equity dealmakers by Mergermarket and Donnelley Financial Services say 26% to 50% of the companies they have targeted for an M&A deal had experienced data security breaches at some point in the past 24 months. I’m willing to bet that number would be higher now.

infosec

The fact that acquirers, not to mention investors, look closely at security is logical. “Infosec” is just another word for “risk,” and any potentially material risk not mitigated by the seller should be reflected in the deal terms. Furthermore, the IT security risk bucket generally includes both privacy and data security. With well-defined penalties for breaches of GDPR and CCPA regulations, assessing IT security risk during due diligence must be a top priority, on par with financial risk, valuation risk and operational risk.

No matter which side of the table you’re on, there are processes to ensure risk is properly identified and reflected in the deal. Finance teams almost never have the skills to perform these assessments themselves, and that’s as expected. But they should absolutely ask their IT colleagues to do so, and to report back, because breaches can be incredibly expensive.

Let’s discuss what to look for.

Buy Side

You cannot 100% eliminate the risk that the seller is already compromised and you’re buying a ticking time bomb. It’s simply impossible to prove a negative. While many experts recommend scanning the environment for telltale signs of a breach, and if nothing is found, give the all clear, I don’t think that is nearly enough diligence.

Instead, I recommend a three-phase process:

  1. Compromise assessment
  2. Maturity assessment
  3. Third-party assessment

Phase 0: Is It Worth Our Time?

Before starting these assessments, take a step back and make sure the company is at least doing the basics. If it’s the wild security west, CFOs need to evaluate the cost of fully assessing and remediating versus the attractiveness of the deal.

One positive indicator is cybersecurity insurance. Issuers require that organizations meet a minimum set of IT processes, such as asset inventory, patching, vulnerability management and incident response, to be covered.

Barring that, your security team, or even better, an outside expert, should ask questions designed to spot problems. For example, as a purchaser, request an inventory of endpoint assets and an explanation of the process used to keep that list up to date. If there is no comprehensive register of devices but the security team insists it has endpoint protection software deployed on 100% of assets, guess what?

When a security team isn’t managing the basics, everything layered on top is flawed — guaranteed.

Furthermore, while a privacy assessment is beyond the scope of this column, you must be cognizant of what regulated data the company holds. For example, if it stores Social Security numbers, that immediately puts regulatory and compliance risks into play.

Compromise Asessment

My point is, ask high-level, straightforward questions about cyber insurance as well as PCI, GDPR and CCPA and industry-specific compliance topics before starting on the technical items we will discuss next. You’ll get insights into the expertise of the security team and what types of risks they have generally accepted, implicitly or explicitly.

Use your gut, qualitative judgement here. It is usually right. And then, if things look solid, proceed to a formal assessment.

Phase 1: Compromise Assessment

A compromise assessment is very useful to reveal what you’re going to inherit “Day 1” if the deal goes forward. While every security consulting firm has its own menu, compromise assessments generally include an external and internal vulnerability assessment (note, this is not a penetration test; that comes later) and endpoint threat and/or malware indicator hunting.

The goal of a compromise assessment is to identify known knowns. Is this company infected by known malware? Has a known bad actor gotten into the network? Has IT let any known exploitable vulnerabilities hang around?

For example, your assessor should review network activity from the seller’s systems for the past 30 days. Cross-reference URLs accessed with known-bad URLs from a threat feed, and search Windows systems for registry keys or files that are known to be linked to malware.

This will not spot an advanced attacker. However, it can prevent the spread of malware to your systems. Routinely, I see buyer and seller networks connected in a wide-open fashion on Day 1 post-deal-close, usually to “aid in integration.” While security teams fight this, it seems to always be allowed, so due diligence here is doubly important.

Phase 2: Maturity Assessment

In this phase, your team assesses the maturity of the organization’s security posture across a variety of risk areas. I personally recommend following the free, popular NIST Cybersecurity Framework, which covers five areas of maturity for which every organization should have controls. The maturity level of a company you’re purchasing should be at least as high as that of your own organization — after all, culture matters in M&A.

If you don’t know where you stand, having IT perform the exercise internally as a baseline is better than nothing. The NIST CSF website provides free tools and training.

Unlike traditional IT security frameworks such as ISO, the controls within the NIST CSF are not a binary “doing” versus “not doing.” Rather, each control is evaluated in terms of functionality and repeatability. For example, just because the seller’s IT organization did something once eight months ago doesn’t mean the risk is still mitigated.

Cybersecurity Framework

Perfection isn’t the point, nor achievable. What you as a potential buyer want to see are continuous improvements. My experience is that these conversations are eye-opening when performed during due diligence. CFOs realize better than most that a solid process and repeatability lead to success. But in my experience, IT security teams are not good at repeatably executing, rely too much on prevention and therefore are very likely to miss an attack.

The NIST process should take your team less than a day to complete and usually does not require that any confidential or proprietary information be shared. If the seller pushes back, it’s a red flag.

Phase 3: Third-Party Assessment

The last step is to review the organization’s third-party contractors, to the greatest extent possible. Remember, your company is inheriting any risk the seller accepted — intentionally or not. If the seller uses outsourced vendors for logistics, IT or other critical processes, review the contracts, obligations and controls in place to verify that the third party is properly managing risk and data.

For example, in one deal I was involved with, a third party that hosted critical customer data used for printing letters and statements had never been reviewed for security, nor did its contract include requirements for cyber risk insurance — or, for that matter, any security at all. Turns out, it had lost documents and been successfully attacked multiple times.

Had this provider been critical to the combined entity, a remediation plan needed to be in place on Day
1. In this case, the combined entity hired a new vendor.

The third-party assessment will also help you as the buyer understand if you need to increase your own cyber risk insurance limits or change your processes, and estimate the work required to integrate the business. For example, if you must review 300 vendors’ contracts because the seller never did, you need to account for those costs.

Sell Side

If you didn’t read the buy-side guidance, please do because my sell-side advice is the same. That’s right: Run those exact assessments on your own systems, and be honest about what you find. If cost is an issue, don’t use an external firm. Your IT staff can generally manage using free resources from NIST. Many buyers won’t take internal results at face value and will pay for a formal review, but if you’ve already done a self-assessment, you have most of the answers to the test before you pick up a pencil.

In addition to knowing your data and risks, there are a couple of techniques that can help reduce the risk a buyer may perceive.

First, focus on the assets and processes that handle your critical data or that must be available for operations. Risk is not uniform. I’ve seen buyers take the stance that a risk is present and then attempt some mathematical calculation across all assets to derive a reduction in purchase price or finagle better terms. That’s unfair, so ensure you can demonstrate that a questionable contractor can be cut loose without an impact on operations.

Second, have a plan of action that passes the sniff test. I had one situation where a seller came prepared with data indicating everywhere risk was and exactly what they were doing about it. Problem is, the plan was complete bunk. The company had hundreds of issues and a two-person security team, yet everything was going to be locked down in a few months, just in time for deal close? Unlikely.

Third, if you are regulated or have a mature governance structure, bring audit or examination reports from previous years to the table. While the buyer may not put full faith in them, because being compliant does not mean you are not high risk, I know I am much more comfortable with an organization that can demonstrate two or three years of consistent execution of audits and exams. These reports give me a starting point to look for areas of risk and lowers my overall assessment time.

Bring audit

Fourth, if the assessment starts late, often because the deal is guaranteed or at low risk of falling apart, be upfront about the reality. I cannot stress this enough — especially if you want a role in the company going forward. This isn’t just for security, it applies to financials, operations, sales, whatever. Sooner or later problems will be found, I guarantee it. And it’s the person who tried to bury the evidence who will take the fall, because the buyer can always claim ignorance.

Don’t be the person who causes significant delays to integration projects because you were afraid to be upfront about the risks you accepted. I have seen open, honest conversations lead to help and funding to fix the problem much more often than honesty has caused a deal to fail. Ultimately, whether buying or selling, IT security risk is just as important as other risks and can have material impact to the deal structure. Marrying a mature security organization with an immature one will create multiples of risk.

As a senior leader, the CFO can back up the CISO when she recommends keeping networks separate and without visibility at Day 0 and properly tracking improvements as integration occurs. Remain silent on security risk and you may find yourself paying a steep price for a breach you could have helped prevent.

Michael A. Davis is an independent security consultant. He was previously CTO of GoSecure and Senior Manager, Global Threats for McAfee. Aside from his work advancing cyber security, Mr. Davis has been a partner in diverse entrepreneurial startups; held a leadership position at 3com; managed two Internet service providers; and recently served as president/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

As an educator on IT security, Mike’s portfolio of clients includes international corporations such as AT&T, Sears and Exelon as well as the U.S. Department of Defense. His early embrace of entrepreneurship earned him a spot on BusinessWeek’s “Top 25 under 25” list, recognizing his 2005 launch of IT security consulting firm Savid Technologies, which was recognized as one of the fastest growing security companies of its decade. He has a passion for educating others, as a contributing author for the “Hacking Exposed” books, through industry publications including InformationWeek and Dark Reading, and as a speaker at industry conferences including Black Hat, Interop, SuperStrategies, and InfoSecWorld.

  

Sales Chat

How is your business adapting to change?

Start chat