In the organized chaos that is Mergers and Acquisitions (M&A) activity today, diligence is often limited to financial benchmarks and infrastructure. Systems, cyber security and how to integrate systems are often an afterthought in the due diligence process. This can lead to disastrous results.
According to CyCognito, a specialist in external attack management and protection, “Organizations overestimate their ability to manage cyber risk associated with their subsidiaries.” In their report, “Managing Risks in Subsidies” they surveyed 19 enterprises that made over one billion in combined revenue and other subsidies to determine their level of Cyber risk. The survey revealed that the more subsides a company has, the greater the risk. The issues stem from several reasons including: current tools and processes for managing subsidiary risk are inadequate. CyCognito identifies these risks as:
Prioritizing compliance at the expense of security.
Complex on-boarding processes.
Infrequent and lengthy risk management processes that leave too many blind spots.
From their survey, CyCognito noted several key numbers:
67% of respondents said their organization had experienced a cyber-attack where the attack chain included a subsidiary or that they lacked the ability or information to rule out that possibility.
50% of respondents would not be surprised if a cyber breach occurred tomorrow at one of their subsidiaries. Cybersecurity managers had a higher expectation of breach than risk managers.
Enterprises with more subsidiaries are 50% more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries.
Respondents at parent companies with 17 or more subsidiaries were almost twice as likely to say that a subsidiary has been implicated in a cyber-attack chain more than once than at parent companies with 16 or fewer subsidiaries.
These concerns are more than justified especially when companies like Marriott were breached like this. In 2018, Marriott was compromised by a trojan horse that was in Starwood’s systems, a company they had bought out. In 2015, Starwood was breached by a smaller virus and had they done their due diligence would have spotted the second virus, which then became integrated into Marriott’s systems.  Roughly 500 million records were compromised, and Marriot was forced to pay a $23.4 Million fine.
Mike Smith, President and CEO of PL Risk adds, “We insure a lot of Private Equity Companies and we see a significant number of cyber attacks that occur during the early phases of the acquisition process while converting systems, training new employees and integrating the acquisition.
With Mergers & Acquisitions, it is important to know where the two entities stand in relation to their servers and services. Coordinate what needs to be added, fixed or removed as your companies begin to integrate their systems together to ensure adequate protection