Mergers, acquisitions and breaches: How to evaluate cyber risk for a deal

June marked the anniversary of the Verizon and Yahoo! deal — not that there was anything to celebrate. No company wants an acquisition to end up the way Yahoo! did for Verizon. The massive breach of every single Yahoo! account — over 3 billion in all — contributed to the significant devaluation of Yahoo! for Oath, the subsidiary of Verizon that made the purchase. This devaluation amounted to a writedown of almost $5 billion after the original acquisition price of under $4.5 billion. Talk about adding insult to injury.

While perhaps it’s not always the first thing business leaders think about when discussing a deal, cybersecurity audits are a vital aspect of mergers and acquisitions (M&A). Businesses need to vet companies that they would like to acquire in order to determine their cyber vulnerability, because the buyer ultimately inherits all of the target’s exposures and liability.

However, despite the Verizon-Yahoo! debacle, there is still a gaping hole in the M&A due diligence process when it comes to evaluating cyber risk. A cyber review is just as vital as the financial and employee analysis, but not enough professionals know how to do this diligence on the fast-paced timeframe that deals are conducted.

Here are some actions to consider before engaging or finalizing a deal:

1. Test the network: In the ideal scenario, deal rooms would include a copy of a recent penetration test of the selling company. A penetration test is an authorized simulated cyberattack on a company’s IT system to evaluate weaknesses. It provides an inside-out view of the selling company from the perspective of a criminal actor attempting to breach the network. A team of IT specialists typically conduct these tests to determine the manner in which the selling company manages cybersecurity. From these simulations, the specialists can gather a complete understanding of how data is stored, by who, where, and if this confidential information is vulnerable. As penetration testing may take longer than “deal time” (if a penetration test has not taken place), alternative methodologies such as an external scan also can assist in obtaining a better understanding of the target’s security posture.
2. Evaluate the results: The information collected educates decision-makers on the state of the selling company’s risk management strategy and exposures. These results uncover everything from indicators of poor security hygiene to employee email credentials. The worst thing that a test could reveal is that there is already a malicious actor in the selling company’s network. The test could also reveal weaknesses caused by internet-exposed systems created to support remote workers or third-party vendors. A significant finding could affect the deal size, change the escrow amount, or create a need for a contingency clause on the deal.
3. Protect assets accordingly: The buyer should also consider taking out a cyber insurance policy that covers the combined exposure of the parent company and selling company. If a buyer goes forward with a deal, it is important that they have the right cyber insurance policy in place to cover a breach. When creating a policy, insurance companies evaluate the selling business using an outside-in approach. Unlike a penetration test in which IT specialists are often given access to a company’s internal system, an outside-in assessment consists of a team collecting data from the outside by simulating cyber adversaries’ tradecraft and techniques used to gain information about a target. Key weaknesses that insurance companies notice when underwriting a policy for an M&A are often easily corrected or mitigated with existing security controls. Brokers must work with tech-forward insurance companies to provide businesses with an accurate policy on a very short time frame — “deal time,” which moves at the breakneck pace of a few hours, rather than a few weeks.

As cyber breaches become more impactful and frequent, decision-makers must incorporate a cyber review into their M&A plan. Buyers need to ensure that they approach a deal with an equal understanding of the seller’s financial and cyber risk.

Related: Cyber insurance market update 2019

Shawn Ram (shawn@coalitioninc.com) is the head of insurance at Coalition, a company founded at the intersection of the insurance and cybersecurity industries by a team of insurance, technology and intelligence community veterans. The views expressed here are the author’s own.