Tuesday, January 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

M&A Process Changes: Assess Digital Risk Before You Make That First Call

Acquirers Ignore the Obvious in Cybersecurity Due Diligence

by Kurtis Minder
April 30, 2020
in Cybersecurity, Featured
city skyline at dusk with points of light signaling digital footprint

For many prospective acquirers, the due diligence process involves laborious, costly tech and policy audits that often extend beyond the deal close, rather than looking for the target’s digital risk and exposure. GroupSense CEO Kurtis Minder discusses this much easier (and obvious) approach.

Information and cybersecurity audits are a fundamental part of the M&A due diligence process. Given the impact of a breach on potential valuation, market acceptance, public relations and brand value, the security posture of a business being considered for an acquisition is a key element in understanding the liability, risk and value of the business.

The most famous case where a data breach dropped a stink bomb into the whole M&A process was when Verizon was in talks to acquire Yahoo! In this case, it was actually two data breaches, impacting more than 3 billion user accounts, which were disclosed during acquisition negotiations. Ultimately it caused Yahoo! to decrease its sale price by $350 million while also gaining responsibility for 50 percent of any damages resulting from subsequent litigation.

As damaging as the Yahoo! data breaches were, Verizon was fortunate to find out about them before they closed the deal so they could revise the acquisition price. This usually does not happen, often due to acquirers not prioritizing vigorous cybersecurity assessments as part of the M&A process. The norm is for data breaches and other security and compliance issues to be discovered after the fact, once the acquiring company’s personnel have the time and resources to really take a look at the acquired company’s infrastructure.

A vivid example of this “after the fact” surprise was the recent Marriott breach, during which the company learned that the systems of an acquired company, Starwood, were compromised at the time of the deal. Bloomberg Intelligence estimates that the damages caused by regulatory fines ($123 million for GDPR alone) and remediation costs will be approximately $1 billion, or 8 percent of the $13.6 billion deal, or roughly the equivalent of Starwood’s annual profits at the time of the acquisition. While this is the most recent headline-grabbing example of a good deal gone bad, it is hardly the only. According to a Forescout survey of 2,700 IT decision-makers, 65 percent reported that their companies had experienced buyer’s remorse after an acquisition due to cybersecurity issues discovered after the close.

If Only…

Cybersecurity has been an afterthought for some acquirers because of the time, cost and effort required to do a full assessment of a company’s systems, processes and risk profile. This process can involve countless person-hours, surveys, compliance checks and scans of devices and network elements. This process also typically involves a third-party consulting organization, legal teams and various disclosure documents that are sensitive to the business. This heavy-handed approach can slow down deals and cause acquirers to either bypass it all together or wait until the acquisition process is far enough along to justify the spending in time, money and resources. However, as we see the damage security issues can cause to deals, it would be best for companies to understand the severity of any issues early in the process – or even before they begin. (Some issues can be so bad that acquirers should not even waste their time and money in opening discussions.)

Additionally, for institutions that are evaluating multiple companies for acquisition and are at an early stage in the process, it is not only too cumbersome and expensive to attempt to do a traditional security assessment for each company, it is also risky: They might not want the target companies to know they are being considered for acquisition.

If only there was a way to evaluate the security and compliance postures of target companies in a way that is efficient, cost-effective and private. Well, it turns out there is: Use targeted threat intelligence to look outside the company for signs of security vulnerability and compromise.

The Digital Risk Footprint Tells All

I have long argued that cyber intelligence data reflecting a customer’s digital risk footprint is a surprisingly accurate litmus test of a company’s security program efficacy. Think of the digital risk footprint as the security program’s shadow. A company’s digital risk footprint consists of the enumeration of that organization’s leaked data, credentials, intellectual property, fraudulent domain names, fraudulent mobile applications, vulnerable internet-facing assets and other items that should generally be kept inside and within the enterprise perimeter.

While it is inevitable that, in some capacity, sensitive data is going to leave a corporate network, an effective security program will minimize that outcome and put in place proactive measures to mitigate future and potential risks prior to them becoming an issue. An example of this would be the detection and takedown of domain name registrations that are variations on the true corporate domain, often “weaponized” to perform phishing campaigns.

The benefit of measuring a potential acquisition candidate’s digital footprint via threat intelligence is that it is a very lightweight and noninvasive, sometimes undetectable, process. It is also a virtually invisible process, because the data that is being gathered already exists outside the corporate network and can be easily discovered by those who know where to look (dark web, social media, open web, underground channels, etc.) Best of all, none of this requires the permission of the companies in question, so there is no need to notify them and reveal that they are being considered for acquisition.

This method of assessing a company’s digital risk and security program is ideal for evaluating large numbers of potential acquisition targets, either before or early in the traditional due diligence process. This process can be enhanced to provide real-time monitoring of the candidate throughout the acquisition process to track changes in security health, as well as any leaks related to the transaction as it progresses.

Fast, Easy and Smart

Discovering the potential acquisition target’s exposed data and intellectual property can be a fast and easy way to determine whether or not the acquisition process should move forward. In addition, it can save enormous sums of money in due diligence costs in comparison to a security audit and can avoid the worst-case scenario of a good deal turning bad after the close of the acquisition.

If you are an acquisitive company or an investment bank, you should take a look at digital risk measurement as an early step in the M&A process. It will give you the information you need to determine the overall security health of an organization and the security liability you may need to consider as part of the transaction.


Tags: data breachdue diligencemergers and acquisitions
Previous Post

Leadership in the Time of COVID-19

Next Post

D&B Helps Companies Identify Risk and Opportunity with New COVID-19 Impact Index

Kurtis Minder

Kurtis Minder is a driven entrepreneur developing new technologies to make the world a better place. He is currently the CEO of GroupSense, an enterprise digital risk management company. Kurtis is also a frequent contributor to the startup community and serves as an adviser and mentor to growing companies. Kurtis has more than 20 years of experience in roles spanning operations, design and business development at companies like Mirage Networks (acquired by Trustwave), Caymas Systems (acquired by Citrix) and Fortinet (IPO). A fun claim to fame: He was instrumental in building an early custom e-commerce system for the artist Prince that enabled him to circumvent his record company and sell music directly to fans online. Kurtis can be reached online at https://www.linkedin.com/in/kurtisminder/ and at www.groupsense.io/.

Related Posts

digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
illustration of man on ladder with binoculars, 2021 outlook concept

Financial Services Compliance in 2021

January 25, 2021
illustration of mafia man in silhouette with red tie

The Mafia’s Jackpot: How Criminal Organizations are Profiting from COVID-19

January 22, 2021
illustration of videoconference, screen and speech bubbles

New Risks as COVID-19 Forces Rapid Technology Adoption

January 21, 2021
Next Post
graph concept of coronavirus impact

D&B Helps Companies Identify Risk and Opportunity with New COVID-19 Impact Index

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights