Cybersecurity no longer merger afterthought

As little as four years ago, only about a third of companies considered cybersecurity when planning a merger. Today, that percentage has flipped

1 2 Page 2
Page 2 of 2

Review existing contracts for cybersecurity issues

A merger and acquisition could also be an opportunity for both companies to renegotiate existing vendor contracts to include better cybersecurity provisions, Coleman added.

"It does open the door," he said.

For example, it's not enough to have a single, initial security audit -- customers need to be able to review security of their vendors, and their vendors' vendors, on an ongoing basis, and contracts need to reflect that.

One specific type of vendor contract that will almost definitely be affected as a result of a merger or acquisition is a company's cybersecurity policy, which will now need to cover a larger operation, and possibly a larger and more diverse set of risks.

Odds are that the cybersecurity insurance policies at the two merging companies are not the same. In fact, some companies don't have any cyberinsurance in place at all, said SANS Institute's Pescatore.

Plus, in some cybersecurity policies -- as with other types of insurance -- preexisting conditions are excluded, and pre-merger due diligence becomes even more critical.

"So, in an acquisition, you have to get your legal people to review the terms of the policies," said Pescatore.

Questions to ask

What is at risk and how is it protected?

The company being acquired probably has at least some sensitive data, such as employee records and customer data, said Rambaud.

"If you are purchasing a healthcare organization, you might have health records, or some secret sauce intellectual property," he said.

Then, look at the controls around the information, whether the organization is protecting correctly.

"But also look at the governance, culture and operations, not just the technology," he said. "People look at the technology stack -- you've got the antivirus, the firewall, intrusion detection -- but the fact that you have the stuff doesn't mean that you use the stuff well, and understand the environment in which those things are evolving."

Have people in sensitive positions had background checks?

"If I'm buying a company and that company did not do background investigations on people with administrative privileges, that should be considered a risk," said Pescatore.

During a merger, and especially during a hostile takeover, employees may be under a lot more stress than normal.

"If people at the acquired company are fired or laid off, then they may leave code bombs that may go off later," said Pescatore.

If there's tension, a more rigorous cybersecurity inspection may be necessary.

Is there sensitive information floating around the Internet or the Dark Web that could indicate that the company has been compromised, or continues to be compromised?

"That could be problematic, and could change the valuation," said Coleman. "And it could impact not just the valuation of the business, but could compromise the underlying reason why you're buying that business."

Similarly, the digital footprint of the management team should be investigated to check to see whether they have been exposed.

This story, "Cybersecurity no longer merger afterthought" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)