In the past year, we have seen Ransomware increased by 437%
Attacks, and many of these violations occurred after merger or acquisition announcements. A typical ransomware attack can cost large companies tens of millions of dollars due to ransom requirements, loss of revenue, legal fees, incident response costs, hardware/software replacement, and increased network insurance premiums. Company owners, CEOs, and the board of directors are now also personally responsible for the lack of safety oversight after violations.
Why does M&A activity put the company at risk?
Criminals attack these companies for the same reasons that people rob banks in the past: the money is there. If you sell your business to a large company or a private equity firm, they have more resources to pay than if you are a small independent organization without a strong balance sheet. Mergers and acquisitions have also created a transition period when new ownership and management teams are entering or exiting their roles. This transitional phase provides an excellent opportunity for cybercriminals to attack.
How does a ransomware attacker work?
Cybercriminals can use multiple methods to enter the Internet. Phishing attacks via email is a common and effective method. Once they have the credentials to access the system, they can move around the network and applications to determine where the most sensitive data is. If the target of the attack is an operational technology (OT) system, the attacker’s target may include stealing intellectual property, demanding a ransom, or physical destruction of property.
If it is an IP attack, they may steal product design, pricing information, or other sensitive business information, and leave without anyone knowing that there is a loophole. In the case of ransomware, they will gain access to sensitive files, encrypt them — so that applications and business processes stop working — and require the company to pay a ransom to regain access to the files.In an attack on an OT system, they may tamper with the physical process, as we are in Florida water supply facility attack, Or disable the security system, as we saw in the TRITON/TRISIS attack.
How do companies avoid cyber attacks in M&A activities?
1. Assess cyber risks during the due diligence process.
This should be a requirement of any company seeking a target acquisition-to ensure that existing cybersecurity personnel, processes, and technologies can work properly and stay up to date before the acquisition is finalized and announced. The acquirer should ask the following questions:
- What are the current cyber security control measures?
- Do you have a CISO or equivalent CISO as a service?
- Is your information security team proficient in network attack detection and repair?
- Is there a process to inform all employees that cybercriminals may target the company’s digital assets?
Having an online due diligence process will help determine whether any major gaps need to be fixed before proceeding. The person in charge should ask if there is a cyber security plan and how the plan meets the appropriate standards.A good benchmark for use is NIST Cyber Security Framework or Internet Security Center (CIS) control.
2. Develop an incident response plan.
If you are compromised, knowing the priorities ahead of time allows responders to complete the recovery process faster and with less impact than if you need to figure out what needs to be done within the first 24-72 hours. Create a list of who is responsible for which functions. Usually, simple communication behaviors are missed during the event, which may lead to the further spread of malware.
Having key system assets and network details is another important part of the response plan. In a crisis, when you lose real-time data, you will not have time to determine whether you can estimate billing. In an emergency, it is not the ideal time to decide whether you can continue to use this system or that system.
3. Don’t treat acquisitions as soft targets.
Please note that cyber attackers may track mergers and acquisitions through public information and then study the level of defense against target acquisitions. It is very simple to describe how many information security personnel or what tools the company may have through the Internet.
If it appears that there are no information security features and limited investment in network security, the company may be a soft target that cybercriminals are looking for. If possible, do all cyber defenses before the merger is made public. The press release may feel good, but if the level of network security is below the standard, it is best to postpone it until the anticipated acquisition to strengthen its defenses.
This is the bottom line. During the due diligence process, if you find that the target acquisition has underinvested in cybersecurity or has no documented incident response plan, you may want to postpone the completion of the transaction until you determine what resources are needed to mitigate cybersecurity-risks within the company -Incorporate it into your negotiation.
