Corporations large and small have always used acquisitions as a staple of their strategies to enter new markets, gain a competitive edge, and grow faster than they could organically. Similarly, private equity and venture capital firms have a prominent role in our modern economy and operate specifically to find value in acquisitions or investments. While financial and market diligence has always been a fundamental element of the acquisition process, many acquirers continue to place limited scrutiny on the cybersecurity risks and opportunities arising from an acquisition target.
For many, the equation is simple. There is not enough time or money to justify cybersecurity diligence. The cybersecurity landscape is evolving at a rapid rate, and the number of companies that have a firm grip on their network security is low, especially among smaller companies. Further, taking the time to conduct penetration tests, large scale security assessments, or other measures a large organization undertakes over the course of a year to validate its security posture does not work in the world of seemingly always late-breaking acquisitions, where timelines are often measured in days and weeks.
With this in mind, why spend tens or hundreds of thousands of dollars on an added element of diligence that may only slow down a transaction and tell the acquirer what they already assumed?
The answer? It doesn’t have to be that way.
While it is true that many acquisition targets will have limited internal cybersecurity resources, that does not mean that all targets carry the same risk. With the prevalence of web applications and internet property providing core value to so many companies today, the developers and architects behind these assets are defining the security of their companies, even if they don’t realize it. All code is not made equal, and attackers of all sophistication levels dream of the days they can find fundamental flaws in an underlying application supporting a company’s public-facing presence.
Since most attackers are financially motivated, finding these flaws alone isn’t good enough. Next they need to take action to monetize their findings. Attackers will establish persistent network access to slowly skim from financial transactions, install ransomware, or extract sensitive data for resell on the darkweb, all while leaving behind subtle indicators of their presence.
Finding these clues does not need to be a months-long process, and in fact in most cases an external analysis of an acquisition target’s network environment can be completed in less than a week without the acquisition target even knowing the diligence has taken place. Beyond the obvious indicators of compromise, it is possible to learn things like the exact locations of an infection within a company’s network and the nature of the IT infrastructure the company has deployed with a linked understanding of the inherent vulnerabilities the tech stack presents. In larger companies, understanding how security technology has been deployed, how the team is executing its patching protocol, and what shadow IT might exist in the environment are all discoverable in a manner that can be actionable for a deal team in less than a week.
In most cases, this quick cybersecurity review will enable a deal team to move forward with added confidence that there is not a six-to-seven figure surprise waiting for them once the acquisition has closed. Sometimes the findings will allow a deal team to ask hard questions and plan for additional measures as the deal closes. Finally, there are the cases where an actual breach is discovered, and the full scope of a deal changes, as it did very publicly when Verizon acquired Yahoo.
In sum, finding a competent partner that can take advantage of the plethora of data sets and tools that exist in the cybersecurity industry today can enable acquirers big and small, technical and not, to gain actionable insights on acquisition targets, and all at the speed of the deal.