No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

M&A Process Changes: Assess Digital Risk Before You Make That First Call

Acquirers Ignore the Obvious in Cybersecurity Due Diligence

by Kurtis Minder
April 30, 2020
in Cybersecurity, Featured
city skyline at dusk with points of light signaling digital footprint

For many prospective acquirers, the due diligence process involves laborious, costly tech and policy audits that often extend beyond the deal close, rather than looking for the target’s digital risk and exposure. GroupSense CEO Kurtis Minder discusses this much easier (and obvious) approach.

Information and cybersecurity audits are a fundamental part of the M&A due diligence process. Given the impact of a breach on potential valuation, market acceptance, public relations and brand value, the security posture of a business being considered for an acquisition is a key element in understanding the liability, risk and value of the business.

The most famous case where a data breach dropped a stink bomb into the whole M&A process was when Verizon was in talks to acquire Yahoo! In this case, it was actually two data breaches, impacting more than 3 billion user accounts, which were disclosed during acquisition negotiations. Ultimately it caused Yahoo! to decrease its sale price by $350 million while also gaining responsibility for 50 percent of any damages resulting from subsequent litigation.

As damaging as the Yahoo! data breaches were, Verizon was fortunate to find out about them before they closed the deal so they could revise the acquisition price. This usually does not happen, often due to acquirers not prioritizing vigorous cybersecurity assessments as part of the M&A process. The norm is for data breaches and other security and compliance issues to be discovered after the fact, once the acquiring company’s personnel have the time and resources to really take a look at the acquired company’s infrastructure.

A vivid example of this “after the fact” surprise was the recent Marriott breach, during which the company learned that the systems of an acquired company, Starwood, were compromised at the time of the deal. Bloomberg Intelligence estimates that the damages caused by regulatory fines ($123 million for GDPR alone) and remediation costs will be approximately $1 billion, or 8 percent of the $13.6 billion deal, or roughly the equivalent of Starwood’s annual profits at the time of the acquisition. While this is the most recent headline-grabbing example of a good deal gone bad, it is hardly the only. According to a Forescout survey of 2,700 IT decision-makers, 65 percent reported that their companies had experienced buyer’s remorse after an acquisition due to cybersecurity issues discovered after the close.

If Only…

Cybersecurity has been an afterthought for some acquirers because of the time, cost and effort required to do a full assessment of a company’s systems, processes and risk profile. This process can involve countless person-hours, surveys, compliance checks and scans of devices and network elements. This process also typically involves a third-party consulting organization, legal teams and various disclosure documents that are sensitive to the business. This heavy-handed approach can slow down deals and cause acquirers to either bypass it all together or wait until the acquisition process is far enough along to justify the spending in time, money and resources. However, as we see the damage security issues can cause to deals, it would be best for companies to understand the severity of any issues early in the process – or even before they begin. (Some issues can be so bad that acquirers should not even waste their time and money in opening discussions.)

Additionally, for institutions that are evaluating multiple companies for acquisition and are at an early stage in the process, it is not only too cumbersome and expensive to attempt to do a traditional security assessment for each company, it is also risky: They might not want the target companies to know they are being considered for acquisition.

If only there was a way to evaluate the security and compliance postures of target companies in a way that is efficient, cost-effective and private. Well, it turns out there is: Use targeted threat intelligence to look outside the company for signs of security vulnerability and compromise.

The Digital Risk Footprint Tells All

I have long argued that cyber intelligence data reflecting a customer’s digital risk footprint is a surprisingly accurate litmus test of a company’s security program efficacy. Think of the digital risk footprint as the security program’s shadow. A company’s digital risk footprint consists of the enumeration of that organization’s leaked data, credentials, intellectual property, fraudulent domain names, fraudulent mobile applications, vulnerable internet-facing assets and other items that should generally be kept inside and within the enterprise perimeter.

While it is inevitable that, in some capacity, sensitive data is going to leave a corporate network, an effective security program will minimize that outcome and put in place proactive measures to mitigate future and potential risks prior to them becoming an issue. An example of this would be the detection and takedown of domain name registrations that are variations on the true corporate domain, often “weaponized” to perform phishing campaigns.

The benefit of measuring a potential acquisition candidate’s digital footprint via threat intelligence is that it is a very lightweight and noninvasive, sometimes undetectable, process. It is also a virtually invisible process, because the data that is being gathered already exists outside the corporate network and can be easily discovered by those who know where to look (dark web, social media, open web, underground channels, etc.) Best of all, none of this requires the permission of the companies in question, so there is no need to notify them and reveal that they are being considered for acquisition.

This method of assessing a company’s digital risk and security program is ideal for evaluating large numbers of potential acquisition targets, either before or early in the traditional due diligence process. This process can be enhanced to provide real-time monitoring of the candidate throughout the acquisition process to track changes in security health, as well as any leaks related to the transaction as it progresses.

Fast, Easy and Smart

Discovering the potential acquisition target’s exposed data and intellectual property can be a fast and easy way to determine whether or not the acquisition process should move forward. In addition, it can save enormous sums of money in due diligence costs in comparison to a security audit and can avoid the worst-case scenario of a good deal turning bad after the close of the acquisition.

If you are an acquisitive company or an investment bank, you should take a look at digital risk measurement as an early step in the M&A process. It will give you the information you need to determine the overall security health of an organization and the security liability you may need to consider as part of the transaction.


Tags: Data BreachDue DiligenceMergers and Acquisitions
Previous Post

Leadership in the Time of COVID-19

Next Post

D&B Helps Companies Identify Risk and Opportunity with New COVID-19 Impact Index

Kurtis Minder

Kurtis Minder

Kurtis Minder is a driven entrepreneur developing new technologies to make the world a better place. He is currently the CEO of GroupSense, an enterprise digital risk management company. Kurtis is also a frequent contributor to the startup community and serves as an adviser and mentor to growing companies. Kurtis has more than 20 years of experience in roles spanning operations, design and business development at companies like Mirage Networks (acquired by Trustwave), Caymas Systems (acquired by Citrix) and Fortinet (IPO). A fun claim to fame: He was instrumental in building an early custom e-commerce system for the artist Prince that enabled him to circumvent his record company and sell music directly to fans online. Kurtis can be reached online at https://www.linkedin.com/in/kurtisminder/ and at www.groupsense.io/.

Related Posts

chinese and hong kong flags

Your Company Could Be Subject to Chinese Investment Ban — and You May Not Know

by Lowenstein Sandler
September 27, 2023

The Biden Administration’s pending crackdown on U.S. investment in certain Chinese technologies, part of an increasingly aggressive posture against foreign...

bundle of papers with binder clips

Managing Contracts Good First Step Under EU’s New Sustainability Directive

by Jim Leason and Ossian Nilsson
September 12, 2023

The EU’s updated Corporate Sustainability Reporting Directive (CSRD) went into effect this year, and the first wave of companies covered...

conceptual illustration of business merger

Regulatory Developments Shaping M&A Across the Globe

by Ayşe Yüksel Mahfoud and Aara Tomar
September 5, 2023

Globally, there has been a significant uptick in regulatory mandates and enforcement. These developments have presented challenges for businesses, while...

A digital collage representing U.S.-China relations

The China Syndrome: Competing Regimes Make Due Diligence a Tall Task

by Bradley Dizik and Akiko Goldberg
August 16, 2023

The U.S.-China relationship has never exactly been a great one — remember the spy balloon? But recent escalations on both...

Next Post
graph concept of coronavirus impact

D&B Helps Companies Identify Risk and Opportunity with New COVID-19 Impact Index

Available SQ
New call-to-action

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2023 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe

© 2023 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT