Cybersecurity Due Diligence: Cyber Threats and External Growth Operations
According to a study by Allianz Global Corporate & Specialty completed in 2022, 57% of the professionals surveyed (including CEOs and risk managers) believe that cybersecurity risks (threat of attacks from ransomware, data breaches, exploitation of vulnerabilities,…) now constitute the main source of concern companies in terms of risk management. This consideration is part of a reality where companies are increasingly interconnected and interdependent while facing a growing number of cyberattacks, targeted or not.
At the same time, the risks associated with an external growth operation [1] are significantly linked to this reality. Indeed, mergers and acquisitions, strategic alliances, or even commercial relationships such as suppliers or subcontractors can increase the attack surface of structures, thus highlighting a type of risk that has only recently been taken into account, namely that related to cybersecurity.
This risk now affects a wide audience, as it concerns not only the IT security actors, but also to the leaders And administrators committed to a logic of responsibility towards shareholders, suppliers, customers or even trusted third party.
By their very nature, external growth operations share common characteristics: they involve’operations whose success or failure is likely to have a lasting impact on the sustainability of companies. Since this type of project is not without risk, companies must take appropriate measures before concluding with the contracting party.
The processes related to this type of operation are tried and tested in accounting and contractual matters: the validation of these operations is often supported by traditional control tools such as audits. due diligence (or third-party verification) in order to to ensure the proper conduct of business and to minimize exposure to risks, whether legal, financial, ethical or operational.
By definition, the procedures of due diligence result in the implementation of assessments consisting of assess the specific risk induced by the relationship, or that it is planned to maintain, with a third party. Among other things, Article 17 of the Sapin II law had notably established the due diligence as a legal obligation designed to protect against the risks of corruption and money laundering. Now, the 4th The industrial revolution highlights the need for policymakers to expand assessments of due diligence prevention against cyber risks arising during a business partnership.
Mergers and Acquisitions and Cyber Threats
In reality, it can already seem complicated for a company to master the IT security of its own information system, such as protecting itself from data leaks, manage vulnerabilities identified on its computer network or to protect itself from malicious individuals attempting to infiltrate internal networks.
However, when a merger occurs between two companies, the scale of this problem and the resulting workload for IT and security departments are significantly increased. This merger highlights the potential existence of differences in the level and maturity of information system security between the two entities, as well as operational differences that need to be standardized, while interconnections still need to be established. The resulting vulnerability takes the form of a higher risk of exposure; the company can become an easier target for cyberattacks.
The massive Marriott Hotels data leak In 2018, this highlighted the need for companies to pay particular attention to cybersecurity during their external growth processes. Indeed, this major player in the hotel sector had stated at the time that its reservation system had been compromised., exposing the personal data of 339 million customers, including for some of them their payment card numbers.
This attack triggered an internal investigation which determined, through a forensic analysis process, that the network of its subsidiary Starwood had been compromised in 2014, when Starwood was a separate company. Marriott acquired Starwood in September 2016 for $12.2 billion, but nearly two years later, the management of the former Starwood hotels had not been transferred to Marriott's reservation system and still relied on Starwood's legacy IT infrastructure.
As part of its investigation, Marriott discovered data that the attackers had encrypted and were attempting to delete from Starwood's systems. In November 2018, they successfully decrypted the data and acknowledged that it contained information on nearly 339 million customer records.
Although zero risk does not exist, the fact that the attack went unnoticed for almost two years after the acquisition of the subsidiary highlights, among other things, the need for companies to undertake strict control measures during a merger and acquisition process.
Third-party management and cyber threats
Similarly, cybersecurity risk factors remain insufficiently explored as a preventative measure before establishing a business relationship between two parties. Many companies today outsource certain activities to subcontractors or suppliers in order to gain a competitive edge. However, a study by Ponemon Institute and SecureLink indicates that 51% of the professionals surveyed believe that Their organization does not evaluate security and confidentiality practices. of all third parties before granting them the appropriate access. The study's results also revealed that organizations are not taking adequate measures to mitigate stakeholder risk, thus exposing their networks to security and compliance risks. Consequently, 44% organizations would have suffered a breach in the last 12 months, of which 74 % stated that this resulted from overly privileged access to third parties.
Supply chain risks
Beyond mergers and acquisitions, cyber risks to the supply chain and suppliers have proliferated, becoming the target of increasingly sophisticated cyberattacks.
Indeed, by granting, for example, service providers or suppliers access to confidential data and information, as well as the potential interconnection of information systems, companies assume a new level of responsibility and risk. Attacks targeting the least secure elements of the supply network are equally effective for cyber attackers, as they provide discreet access points to networks and bypass the security measures implemented by the end target. The impacts of these rebound attacks can be considerable and potentially disastrous for both customers and businesses.
While large attacks of this type attract attention (such as SolarWinds, or more recently Colonial Pipeline), other vectors of compromise Data breaches related to the supply chain pose a major risk to businesses of all sizes. Indeed, the unintentional exposure of data, whether business or technical, by a partner can be enough for a malicious actor to identify an attack vector on their target. For example, development environments which can be observed in particular on the Github collaborative platform These projects are attracting particular attention from attackers. This platform exposes a wide range of projects developed by IT service providers who inadvertently disclose sensitive data publicly. And generally, these publicly visible projects catch the eye of malicious actors, offering them the opportunity to directly launch attacks against their target.
This demonstrates that however secure a company's information systems may be, it is not immune to a cyberattack through an external vulnerability.
Direct and indirect consequences….
After an attack comes the time for assessment, and this type of attack notably leads to... costs direct such as fines, legal fees, and even reconstruction costs, and costs indirect which include damage to reputation with customers and partners.
To take the example of the Marriott Hotel, the incident consequently cost it dearly, both in terms of financial than on that of the reputation. The company's shares had fallen by nearly 51% before the day the data was released, and numerous lawsuits were filed. Attorneys general from all 50 states and Washington, the Securities and Exchange Commission (SEC), and committees in the U.S. Senate and Congress, among others, launched investigations. And in October 2020, the company was fined £18.4 million (€21.5 million) by the UK's Information Commissioner's Office (OIC). This amount was related to the OIC's findings that Marriott had failed to implement appropriate technical or organizational safeguards to protect personal data processed on its systems, as required by law. the GDPR.
Consequently, the elements developed above highlight the importance for a company to analyze, understand and take into account the cyber risks associated with an external growth operation.
It is true that the costs associated with anticipating and managing risks can represent a significant investment for businesses, particularly smaller ones. However, the Marriott case confirms that company executives have a duty to assess cybersecurity risks, especially during an acquisition process, and that such a failure could lead to them being held liable in the event of a cyberattack.
The threats to mergers and acquisitions, as well as to the supply chain, mean that organizations must emphasize their ability to adopt a proactive and preventative approach to cyberattacks. They now have a responsibility to assess the situation and implement preventative measures against compromise through a partner.
The goal is to ensure that the proposed merger with a potential target represents more of an opportunity than a risk. Indeed, a preliminary analysis of a target company allows for a more stable business partnership. It also serves as a form of anticipation, identifying future challenges, including the implementation of a remediation plan if necessary.
Due Diligence & Cyber Threat Intelligence
THE Cyber Due Diligence seem to be gradually emerging as a a key tool for assessing and detecting risks within these external growth processes.
Implementing a robust cybersecurity strategy involving continuous monitoring of a company's environment is the use of cyber intelligence (said the Cyber Threat Intelligence), or the capture, through OSINT or HUMINT means, of any cybersecurity technical elements that could impact an organization. This information is used to identify, prevent, and respond to cyber threats (malware, phishing, attacks by ransomware, hacktivism, and other emerging threats). For example, if a large proportion of professional accounts on databases are available on the Dark Web, the company will be able to reassess its password policy or its strategy to combat the use of professional accounts in the private sphere.
Thus, Due Diligence and Cyber Threat Intelligence (CTI) provide the necessary resources to monitor specific threats to a company's key assets and sectors. They enable the analysis of attack execution methods based on cybersecurity trends related to a target entity's profile.
Turning risk into a source of opportunity
To mitigate the uncertainty associated with an external growth operation, organizations have the option of using cyber intelligence knowledge and tools to ensure that the merger between a company and a target company does not pose a risk but rather a positive one. a source of opportunity.
The interest of Cyber Due Diligence For a company pursuing an external growth project, the key lies in...’obtaining the most accurate image possible counterparty, accompanied by a risk assessment with a view to make the best possible decision.
Although threat analysis is often seen as a burden, the cost of the direct and indirect consequences of a potential cybersecurity breach at a third-party entity can far exceed the cost of assessing cybersecurity risks related to an acquisition. Furthermore, the significant increase in regulatory pressure over the past decade is forcing companies across all sectors to conduct due diligence in managing their IT infrastructure (including subsidiaries) and in selecting their third-party partners.
Furthermore, customers and consumers are concerned about the proper management of their personal data. Therefore, a B2C company operating, for example, in the distribution sector, would greatly benefit from implementing these procedures within the framework of a partnership with a supplier. Certainly, this company will be keen to provide a reliable service. flawless image in the area of personal data protection and thus GDPR compliance. In fact, regularly assessing the digital environment of suppliers and/or service providers allows companies to maintain a relationship of trust with their clients.
In short, the Cyber Due Diligence now appear as a substantial means of value creation and success of an external growth operation.
Intrinsec supports you in your external growth operations
The precautionary principle, which tends to guide societies, therefore imposes on decision-makers a underlying obligation to control cyber risks during an external growth process.
The solutions of Cybersecurity Due Diligence The services offered by Intrinsec allow us to support you in your operations (both ongoing and retrospective), by providing you with an assessment of the third party's digital exposure, as well as a proposed strategy to adopt in terms of expected compliance.
With a team of competitive intelligence analysts and technical experts, our approach will involve putting ourselves in the shoes of an attacker or actor seeking to obtain sensitive information for the purpose of economic espionage. To do this, our Cyber Threat Intelligence service will activate all the technical tools at our disposal to detect and analyze weak signals from information available on the various layers of the web (surface, deep, and dark web).
Furthermore, the sensitive elements detected during a Cybersecurity Due Diligence CTI analysis conducted by our external analysts offers the advantage of identifying exploitable entry points for malicious actors. In the context of a subsidiary acquisition or evaluation process, Intrinsec leverages its expertise through the operational complementarity of its various departments. This complementarity then allows the client to consolidate and protect the security of their information systems by utilizing... penetration tests, internal security audits or even Red Teaming.
So, whether you're looking to acquire a company to boost your growth, contract with a strategic partner, or understand the market presence of a service provider, supplier, or subsidiary, our tools allow you to... ensure that the necessary information is obtained so that the current or future relationship constitutes a source of opportunity.
[1] External growth operations are understood here as any operation leading to the merging of two companies: mergers and acquisitions, joint ventures or even commercial relationships (between suppliers, subcontractors and contractors, …).
