Friday, December 6, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

5 Hidden Pitfalls in Cybersecurity Due Diligence

by Jason Wejnert
August 23, 2017
in Cybersecurity, Data Privacy, Featured
word "virus" on binary code display

Key Considerations to Facilitate Smooth M&As

As the list of cybersecurity breaches grows daily and headlines grow more shocking – think Home Depot, Target, Anthem, Yahoo!, WannaCry – the importance of cybersecurity in M&A due diligence has correspondingly increased. Do you want to purchase a company that’s been compromised? How would you know even know if it’s been breached? 

Corporate directors have cited the importance of cybersecurity for M&A targets as increasingly significant, according to 77 percent of a recent study’s respondents,[1] but it continues to be treated generally, putting companies at risk.

At the highest level, buyers should ask the following questions as it relates to cybersecurity during the due diligence process:

  • How is the information used or stored by the company?
  • What cybersecurity policies are in place to protect the information?
  • What past cybersecurity breaches have occurred within the company? Websites? Email accounts? Servers? SQL databases?

While those questions cover much of the cybersecurity issues a buyer must inquire about, there are often overlooked areas that are becoming more commonly exploited.

Often resulting from low-priority and low-cost-advantage areas of a company’s operations or sometimes even from just sheer laziness or ignorance, there are five areas that warrant a deeper inquiry into a seller’s policies and enforcement.

#1: Unknown and Forgotten Applications and Websites

Often, during development or beta testing, or even full production, web applications are created and then “forgotten.”[2] A seller may not even be aware of or track these “unknown” web applications, such as web server and data collection applications, possibly due to employee turnover or poor recordkeeping. These unknown and/or forgotten applications may offer a back door to more general access to company data. A buyer must inquire into historical records of application development and when/whether any applications were obsoleted or taken offline. Version histories may give a clue to what is still available for exploits.

#2: Software Patches

The recent WannaCry ransomware attack took advantage of vulnerabilities in the Windows operating software. As a result, Microsoft and companies scrambled to install software patches to prevent future attacks. But there was no need to scramble; these patches were already available. These unfixed vulnerabilities in software, not corrected by patches, represent a significant risk for penetration and theft or extortion of data, or merely a back door to other systems in the company. The buyer must investigate the history of software patch installations and current versions of operating system versions and application versions to determine if there are unpatched vulnerabilities in the seller’s inventory.

#3: Firmware Upgrades

A lesser-known but increasingly common source of vulnerabilities is firmware or code within chips in hardware devices, such as USB keyboards, web cams, graphics and sound cards that have not been updated for security fixes. Hardware devices, including routers, security cameras, process equipment, industrial sensors and control devices and even laptop lithium batteries represent a potential source of cybersecurity vulnerabilities.[3] Just as for software patches, the buyer must inquire about firmware upgrades to all connected equipment, especially as more and more internet of things (IoT) devices are made “intelligent” and connect to the internet.

#4: Default Logins for Connected Devices

A shockingly high percentage of connected devices – such as Ethernet and Wi-Fi routers, SCADA and other mass-produced items with network or internet connectivity – are not updated to replace the manufacturer’s default login (often “admin/admin”).[4] These default logins allow outside parties to expose the company to various penetration risks to which the compromised connected device is connected. When evaluating these upgrades, the buyer should inquire for password policies for these devices and ask for a list of any devices that use the manufacturer default login settings. Scanners that can examine whether default login credentials are being used are available and are recommended in conjunction with an expert in cybersecurity.[5]

#5: Personnel Training and Enforcement

Often, the weakest link in a company’s cybersecurity policy is the human element. Use of noncompany email accounts, “bring your own device” instances, use of cloud storage (e.g., Dropbox, OneDrive, Google Drive) or bringing infected USB drives and flash drives to work increase vulnerabilities for a breach.

A buyer must ask the seller to provide the company’s policies toward personnel training and enforcement in these areas, instances of past breaches due to human factors and measures used to correct or prevent these instances, such as prohibiting use of nonwork email accounts or cloud storage applications, security software that scans devices inserted into company hardware or requiring two-factor authentication for all logins to company data or networks.

Conclusion

In addition to the standard playbook of M&A cybersecurity due diligence, new layers of concern will accrete as hackers creatively exploit new vulnerabilities faster than software designers can anticipate them. Buyers will need to continuously update their checklists to account for new cybersecurity risks.

Assessing risks should be baked in on the front end of every M&A transaction, not as an afterthought in a memo from the intellectual property legal advisors, so that the buyer and seller can properly assess deal terms, value and post-closing risks and opportunities accordingly.

___________________

[1] https://www.nyse.com/publicdocs/Cybersecurity_and_the_M_and_A_Due_Diligence_Process.pdf

[2] Id.

[3] https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/ (“In 2011, security researcher Charlie Miller found that chips in Apple laptop lithium ion batteries were shipped with default passwords, allowing anyone who discovered the password and learned how to manipulate the firmware to potentially install malware that infects the computer and gives a hacker a persistent hold on it even after the operating system is reinstalled. To demonstrate the firmware vulnerability, he altered the firmware of Apple laptop batteries to trick them into reporting a low charge that would cause the charger to overcharge them until they were bricked.”)

[4] https://www.perspectiverisk.com/top-5-common-network-vulnerabilities-default-login-credentials/

[5] https://www.us-cert.gov/ncas/alerts/TA13-175A


Tags: BYOD/Bring Your Own DeviceCloud Compliancedue diligenceinternet of things (IoT)mergers and acquisitionsransomware
Previous Post

IHS Markit Launches Compliance Service for RTS 28

Next Post

TRACE: The Smartest Guys in the Room

Jason Wejnert

Jason M. Wejnert provides practical, creative legal guidance on a broad range of intellectual property matters to industry-leading clients—from small and mid-sized businesses to Fortune 500 companies. A member of the Intellectual Property & Technology group, Jason focuses his practice on patent litigation for industry-leading clients, managing all aspects of patent litigation cases from inception through trial, as well as ex parte and inter partes reexamination and review proceedings. As a former engineer for several technology companies, including Intel, Motorola and Medtronic, Jason leverages his background to provide practical insight to clients when it comes to protecting their intellectual property. His practice primarily centers on patents for complex technologies, including Internet and wireless technologies (e.g., Wi-Fi, WiMAX, CDMA and Bluetooth), ecommerce software, optical systems, computer software and hardware, photonics and database systems.

Jason facilitates and protects innovation from the origination of the idea to registration/protection of the innovation, licensing of the innovation, due diligence and transactional considerations, and enforcement of the innovation. This can include patentability opinions, patent portfolio and invention disclosure program improvement, freedom to operate studies, licensing agreements, development agreements, patent applications, trade secret protections, copyright and trademark registrations, distribution agreements, channel-partnering agreements and the like.

Related Posts

man holds prohibited symbol above wooden block letters spelling fraud

The Pros Who Are Key to Fighting Corporate Fraud

December 6, 2019
blue corporate culture puzzle being assembled by multiple hands

Managing Organizational Culture as an Enterprise Asset

December 5, 2019
job candidates awaiting inerview

An Unconventional Interview Question: “Do You Have an HR Department?”

December 5, 2019
closeup of magnifying glass on gray background

DiCianni’s Idea: How It All Got Started

December 4, 2019
Next Post
nighttime view of Enron complex in downtown Houston

TRACE: The Smartest Guys in the Room

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • Iconix Brand Group, Inc., Neil R. Cole and Seth Horowitz December 5, 2019
    SEC Charges Iconix Brand Group and Former Top Executives with Accounting Fraud
  • Lester Burroughs December 5, 2019
    SEC Charges Connecticut Man with Defrauding Retail Investors
  • SBB Research Group LLC, et al. December 4, 2019
    SEC Charges Hedge Fund Adviser and Top Executives with Fraud

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights