What Cyber Questions Should the Board Ask Prior to an Acquisition?
Verizon and Marriott International, each a leader in their respective industries, completed acquisitions over the past few years. Both companies are presently facing significant liabilities due to security breaches that occurred prior to their acquisitions. The security breaches went undetected for several years and were not identified during the acquisition due diligence process.
A company’s cyber security posture warrants a thorough vetting given the prevalent use of technology by companies to conduct their everyday business. Additionally, many companies rely on third parties for their operations and these third parties may have connectivity to the company’s systems and are an additional threat vector that must be carefully considered. As we have seen with the Verizon and Marriott acquisitions, the acquired companies (Yahoo! and Starwood Hotels, respectively), were not aware that a compromise had occurred until several years later. One can infer that because the compromises were undetected for an extended period of time that there was a continuing lack of oversight and responsibility by management. This leads one to question who was responsible for that oversight and failed, and what other processes and technologies were in place and not properly managed? Is there anything the Board could have done during the due diligence process to uncover these gaps in controls or at least raise red flags as a potential security risk?
During an acquisition, a traditional due diligence process is usually conducted by a corporate attorney and/or committees assigned to different subject areas, such as finance or operations. As for technology, any due diligence should not end once the boxes have been checked that information security policies and procedures are in place and that the controls have been audited by an independent third-party; that type of documentation is validated as of a certain date whereas the security risk is continuous. Due to the numerous end point threat vectors that could be used to compromise the company’s systems, continuous monitoring should be included in the due diligence process as well as other security tools that a cyber security expert would be able to advise and utilize as part of a security risk assessment.
There are many security issues to consider depending on the product or service the company is offering, the data it collects and stores, and the technology used. In any acquisition due diligence process, the Board should ask that cyber security subject matter experts be engaged as part of the process to ensure a thorough vetting of the security risk. Just as accountants and lawyers are engaged as subject matter experts to analyze the financial and legal risks associated with an acquisition, the significant risk that cyber security poses warrants engaging a subject matter expert as well.