TikTok was recently in the news as it was on the verge of being acquired by a U.S. company or a consortium for billions of dollars. What potential cyber risks are there for the acquiring U.S. company? Tons. The wildly popular social media video sharing service is a Chinese company accused of purposefully undermining the security of U.S. citizens, and could potentially be influenced by its foreign government intelligence apparatus. If there was ever a case that exemplifies the justifications for having a bullet-proof merger & acquisition cybersecurity plan, it would be TikTok.
By Matthew Rosenquist, CISO, Eclipz
Although such potentially scandalous deals highlight the security concerns, nowadays every merger and acquisition brings with it many potential digital risks. From small to large, simple to complex, all M&A deals involving technology have cybersecurity baggage and challenges.
Security does not happen by default
Mergers and Acquisitions represent a significant risk to organizations as integration and data sharing can expose assets to confidentiality, integrity, and availability threats. Security must identify the risks across a broad scope of areas.
Connecting the networks could open a plethora of new dangers, especially if the acquired network is vulnerable or already compromised, as it puts at risk all the digital assets and services from the acquiring company. If any of the new personnel, suppliers, partners, or vendors are disgruntled or working on behalf of external parties seeking to gain leverage, there can be serious insider risks. Lack of security, process, oversight, and controls can undermine the value of the acquiring assets, diminishing the return-on-investment. If the integration isn’t done well, valuable assets including talent, operational stability, and future generation of intellectual property can rapidly diminish. If things go sideways, an acquisition can create a situation for the acquiring entity of regulatory non-compliance that brings with it an erosion of customer goodwill, negative press, lawsuits, legal injunctions, and other serious penalties.
Years ago, I built and led Intel Corporation’s M&A cybersecurity capability and processes. Throughout my career, I have been involved in over one-hundred and twenty mergers, acquisitions, divestitures, site closures, and joint ventures. I have published a variety of articles and presentations on this topic, spoken to many audiences, and advised other organizations on best practices.
M&A cybersecurity work is typically frantic, unpredictable, and oftentimes ambiguous. It demands executive sponsorship, strong leadership, great flexibility, and a willingness to rapidly adapt to emerging problems. It can press the boundaries of good security practices and test the mettle of the strongest cybersecurity organizations.
It is often dreaded by traditional security operations folks who are entrenched in the comfort of controlling a consistent, predictable, and structured environment. M&A’s are chaotic and rarely comply with corporate security policies. It is an art as much as it is a science when considering the technical, behavioral, and process aspects that must be comprehended and addressed.
Top 8 Key Learnings for M&A Cybersecurity
1. Security does not happen by default. As the complexities of M&A deals emerge, those involved move aggressively to solve problems. In the rush and pressure, security is often deprioritized in tactical decisions that eventually manifest into strategic issues. Cybersecurity must be involved both at the early planning stages, and stay engaged until the last closure maneuver is completed.
2. The unwavering support of executive management is crucial. A set of risk objectives must be defined, and the security team should be communicating the progress and necessary controls to meet those goals. Cybersecurity flows across all domains of the entire M&A team, and therefore must be a part of the leadership team.
3. Understanding the value proposition and goals of the M&A is crucial to identifying risks, knowing what to evaluate, and strategically planning the right balance of controls.
4. For regulated industries and sensitive intellectual property related acquisitions, profiling the data is key. Knowing what data is involved, its sensitivity, who has logical/physical access, and where it is physically located is necessary. It will be needed to ensure regulatory, legal, and IP confidentiality protection.
5. To prevail, both technical and behavioral security considerations must be incorporated into the business transition plan. Neither must be ignored and in most cases, the combination must be applied to every issue where cybersecurity is at risk. A security-savvy M&A team is the first step to highly effective results.
6. Logical and physical security aspects cannot be separated. Cybersecurity professionals can easily overlook the physical security factors which can jeopardize the confidentiality, integrity, and availability of the business.
7. Great attention must be paid to data retention, transfer, and destruction. “Deal data” can be a vague and changing concept that may be interpreted differently over time, especially in larger transactions. Understanding the scope, expectations, and commitments is a necessity.
8. Managing digital risks requires a community effort. Effective M&A cybersecurity requires a knowledgeable team, good leadership, and broad support to efficiently achieve the stated goals with consistency and comprehensiveness.
The range of tactical issues that an M&A cybersecurity team must understand and explore for each deal is wide and deeply complex. For a quick overview, I published a reference years ago which highlights the most significant Areas of Interest for internal cybersecurity. For acquisitions with products and services, there are a few more aspects to consider.
The complete presentation of M&A Areas of Interest can be found here: https://www.slideshare.net/MatthewRosenquist/mergers-and-acquisition-security
About the Author
Matthew Rosenquist is the Chief Information Security Officer (CISO) for Eclipz, the former Cybersecurity Strategist for Intel Corp, and benefits from 30 diverse years in the fields of cyber, physical, and information security. Mr. Rosenquist specializes in security strategy, measuring value, developing best-practices for cost-effective capabilities, and establishing organizations that deliver optimal levels of cybersecurity, privacy, ethics, and safety. As a cybersecurity strategist, he identifies emerging risks and opportunities to help organizations balance threats, costs, and usability factors to achieve an optimal level of security. Mr. Rosenquist is very active in the industry. He is an experienced keynote speaker, collaborates with industry partners to tackle pressing problems, and has published acclaimed articles, white papers, blogs, and videos on a wide range of cybersecurity topics. Mr. Rosenquist is a member of multiple advisory boards and consults on best-practices and emerging risks to academic, business, and government audiences across the globe.
All views are personal and attributed to the author(s). The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.