Key Considerations to Facilitate Smooth M&As
As the list of cybersecurity breaches grows daily and headlines grow more shocking – think Home Depot, Target, Anthem, Yahoo!, WannaCry – the importance of cybersecurity in M&A due diligence has correspondingly increased. Do you want to purchase a company that’s been compromised? How would you know even know if it’s been breached?
Corporate directors have cited the importance of cybersecurity for M&A targets as increasingly significant, according to 77 percent of a recent study’s respondents,[1] but it continues to be treated generally, putting companies at risk.
At the highest level, buyers should ask the following questions as it relates to cybersecurity during the due diligence process:
- How is the information used or stored by the company?
- What cybersecurity policies are in place to protect the information?
- What past cybersecurity breaches have occurred within the company? Websites? Email accounts? Servers? SQL databases?
While those questions cover much of the cybersecurity issues a buyer must inquire about, there are often overlooked areas that are becoming more commonly exploited.
Often resulting from low-priority and low-cost-advantage areas of a company’s operations or sometimes even from just sheer laziness or ignorance, there are five areas that warrant a deeper inquiry into a seller’s policies and enforcement.
#1: Unknown and Forgotten Applications and Websites
Often, during development or beta testing, or even full production, web applications are created and then “forgotten.”[2] A seller may not even be aware of or track these “unknown” web applications, such as web server and data collection applications, possibly due to employee turnover or poor recordkeeping. These unknown and/or forgotten applications may offer a back door to more general access to company data. A buyer must inquire into historical records of application development and when/whether any applications were obsoleted or taken offline. Version histories may give a clue to what is still available for exploits.
#2: Software Patches
The recent WannaCry ransomware attack took advantage of vulnerabilities in the Windows operating software. As a result, Microsoft and companies scrambled to install software patches to prevent future attacks. But there was no need to scramble; these patches were already available. These unfixed vulnerabilities in software, not corrected by patches, represent a significant risk for penetration and theft or extortion of data, or merely a back door to other systems in the company. The buyer must investigate the history of software patch installations and current versions of operating system versions and application versions to determine if there are unpatched vulnerabilities in the seller’s inventory.
#3: Firmware Upgrades
A lesser-known but increasingly common source of vulnerabilities is firmware or code within chips in hardware devices, such as USB keyboards, web cams, graphics and sound cards that have not been updated for security fixes. Hardware devices, including routers, security cameras, process equipment, industrial sensors and control devices and even laptop lithium batteries represent a potential source of cybersecurity vulnerabilities.[3] Just as for software patches, the buyer must inquire about firmware upgrades to all connected equipment, especially as more and more internet of things (IoT) devices are made “intelligent” and connect to the internet.
#4: Default Logins for Connected Devices
A shockingly high percentage of connected devices – such as Ethernet and Wi-Fi routers, SCADA and other mass-produced items with network or internet connectivity – are not updated to replace the manufacturer’s default login (often “admin/admin”).[4] These default logins allow outside parties to expose the company to various penetration risks to which the compromised connected device is connected. When evaluating these upgrades, the buyer should inquire for password policies for these devices and ask for a list of any devices that use the manufacturer default login settings. Scanners that can examine whether default login credentials are being used are available and are recommended in conjunction with an expert in cybersecurity.[5]
#5: Personnel Training and Enforcement
Often, the weakest link in a company’s cybersecurity policy is the human element. Use of noncompany email accounts, “bring your own device” instances, use of cloud storage (e.g., Dropbox, OneDrive, Google Drive) or bringing infected USB drives and flash drives to work increase vulnerabilities for a breach.
A buyer must ask the seller to provide the company’s policies toward personnel training and enforcement in these areas, instances of past breaches due to human factors and measures used to correct or prevent these instances, such as prohibiting use of nonwork email accounts or cloud storage applications, security software that scans devices inserted into company hardware or requiring two-factor authentication for all logins to company data or networks.
Conclusion
In addition to the standard playbook of M&A cybersecurity due diligence, new layers of concern will accrete as hackers creatively exploit new vulnerabilities faster than software designers can anticipate them. Buyers will need to continuously update their checklists to account for new cybersecurity risks.
Assessing risks should be baked in on the front end of every M&A transaction, not as an afterthought in a memo from the intellectual property legal advisors, so that the buyer and seller can properly assess deal terms, value and post-closing risks and opportunities accordingly.
___________________
[1] https://www.nyse.com/publicdocs/Cybersecurity_and_the_M_and_A_Due_Diligence_Process.pdf
[2] Id.
[3] https://www.wired.com/2015/02/firmware-vulnerable-hacking-can-done/ (“In 2011, security researcher Charlie Miller found that chips in Apple laptop lithium ion batteries were shipped with default passwords, allowing anyone who discovered the password and learned how to manipulate the firmware to potentially install malware that infects the computer and gives a hacker a persistent hold on it even after the operating system is reinstalled. To demonstrate the firmware vulnerability, he altered the firmware of Apple laptop batteries to trick them into reporting a low charge that would cause the charger to overcharge them until they were bricked.”)
[4] https://www.perspectiverisk.com/top-5-common-network-vulnerabilities-default-login-credentials/
[5] https://www.us-cert.gov/ncas/alerts/TA13-175A