Why Cybersecurity is Crucial for M&As

Luis Guzmán
May 10, 2022

Data privacy and breach risks are blind spots that take many merger and acquisition efforts by surprise. Breaches are frequently discovered after the fact, costing the acquiring or acquired company heavily.

An oft-quoted example is Verizon’s discovery of a prior data breach at Yahoo! after the deal was signed. This breach resulted in hundreds of millions of dollars being knocked off the purchase price. Penalties and fraud charges cost Yahoo! more than another hundred million dollars on top of that. It turns out a breach like that is not an uncommon thing when an acquisition happens.

The (ISC)², an international non-profit association for security leaders reports from a survey of M&A respondents that:

  • 77% of M&A experts have preferred acquisition targets based on their cybersecurity programs.
  • 49% of respondents indicated that they had witnessed a merger or acquisition agreement fall through as a result of unreported data breaches.
  • 52%of respondents indicated that the share value of publicly-traded clients has been negatively affected as a result of an acquired company’s data breach.

And according to another study by Forescout 65% experienced buyers’ remorse, regretting the deal due to cybersecurity concerns.

Access policies, tooling, infrastructure, and related activities typically undergo rapid changes during an M&A, making companies relatively vulnerable to risks. In an increasingly cloud-reliant business world, cybersecurity is no longer the logistical afterthought it used to be with M&As. It can now make or break an acquisition.

Security factors during an M&A

There are multiple levels of information security in an M&A process. The most common include:

1. Physical and network security: Access-policy upgrades to resources, firewalls, VPN access, id badges, etc. tend to get implemented hastily by overworked IT staff.

2. Data security: Concerns surface around employee & client data, storage mechanisms, migration, and data loss or corruption during integration.

3. Application security:

  1. Security logic is often written into application logic. When an M&A happens, it introduces fresh use-cases to regression-test and penetration-test across stacks.
  2. This can be mitigated with thorough architectural reviews and security audits, especially when implementing SSO solutions.
  3. Even if the parties don’t implement an explicit SSO, the use of off-the-shelf third-party identity services (like Google or Facebook) necessitates a thorough audit to make sure access permissions and associated data don’t spill across application contexts.

4. Varying compliance levels across entities that conform to different standards and governing bodies (NIST, FIPS, PCI DSS, HIPAA, etc.)

5. Data conflict and redundancy when merging user information, often an activity vulnerable to human error.

Best practices

A lot of data and security breaches in an M&A can be avoided by having the right processes in place. Here are a few recommended practices for more secure M&As:

Technology concerns

  • Physical assessment of network devices, workstations, and remote connectivity mechanisms
  • Adherence and audit of secure SDLC processes
  • Assessment of vendor tools
  • Threat modeling and architectural risk analysis by a team of security experts
  • Application penetration testing across devices and locations including mobile clients
  • Business and process integration especially around tools, Intranet access, shared context, and SSO wherever possible
  • Leverage in-house or external AppSecOps and DevSecOps teams to chart assessments, audits, plans, and mitigation strategies for gaps that will surface.
  • Have the team ensure any data migration or unification happens in testable, traceable steps that can be rolled back in phases.
  • Build tooling that provides mechanisms to debug and fix discrepancies, and test those tools and processes with staging data before starting any migration on real data.
  • Give IT, AppSec and DevSecOps teams ample time and resources to plan and execute well before, during and after an M&A.

What is the Purple Book Community?

The challenges that AppSec with a DevSecOps approach pose can only be solved by initiating a cultural and mindset shift. People need to be enabled to adopt DevSecOps in its true spirit. This is where the idea of the Purple Book Community came about.

This is especially important in the context of an M&A, as multiple entities with different standards and strategies for AppSec and DevSecOps come together to make an M&A successful. A strong process mindset curated by security experts provides a foundation where other experts from across the table can speak the same language.

The Purple Book Community comprises top security thought leaders and practitioners. Initially, it brought together 29 industry experts together to write a comprehensive book about DevSecOps, AppSec, and product security concerns, best practices, and case studies. This book will be offered free of charge for the benefit of the broader community. The community is composed of seasoned security executives that understand the need to accelerate product innovation without compromising security posture.

How can the Purple Book Community help?

The book, as well as any other content that the community creates, provides actionable guidelines and playbooks to show how businesses can steadily add robust layers of security by adopting DevSecOps. It helps companies accelerate their processes by learning from practitioners who have been there and done that. The content of the book will be kept current by leaders who will write blogs and publish podcasts regularly. 

Cybersecurity challenges are evolving every day to become more sophisticated. It’s important to have equally sophisticated experts on your side to decode the threats and keep your business safe. And the Purple Book Community is built to do just that.

The Purple Book Community acts as your support system and guide as you figure out your business framework and implement those key processes to fulfill the promises of DevSecOps.

Participate in the community!

The community meets twice a month to talk about the latest developments in the industry, network with each other, share best practices, decode major attacks, and build long-lasting bonds. To know the latest updates and participate in events, check out the community’s LinkedIn page.

AppSecOps Solution Architect, ArmorCode