Why aren’t more companies focused on M&A cyber due diligence?

A talk given at RSA this week by Avast’s EVP, GM and CTO Ondrej Vlcek  about the attack and corruption of CCleaner had an interesting twist when the speaker noted that the most important lesson coming out of the episode wasn’t about the incident itself, or even the TTPs the attackers used.

“A big lesson for us was about due diligence,” he says. “When companies do mergers and acquisitions, most of the due diligence is around financials, maybe legal risks, or intellectual property. But I don’t see companies focusing too much on cybersecurity in terms of digging deeper into whether the company has a breach. This certainly changed our process. If we had focused on it during due diligence I’m sure we would have been able to find at least some indication. (as quoted by Wired magazine)”

Interestingly, the WSJ had a recent article highlighting a few cyber due diligence wins. But I think (anecdotally at least) that those are the exception rather than the rule. Having spoken to several of my colleagues, we still don’t see a lot of rigor in the cyber component of the whole M&A due diligence process.

One other interesting story that went public in 2016 was the case of Muddy Waters’ public announcement of vulnerabilities in St Jude’s implantable cardiac devices. What made this case more interesting was the timing of the announcement after Abbott public announced its intention of acquiring medical device maker St Jude. The announcement caused a lot of disruption and delayed the process considerably.

So what should an acquiring company do in order to bolster its cyber due diligence process? We believe that acquiring companies should be trying to answer the following questions:

  1. Is the acquisition target already compromised? This can be determined through a combination of threat intelligence research and technology assessment work.
  2. What is the maturity of the cyber practices and security program as a whole at the acquisition target? Will their practices add short term risk (defined as < 12 months) or long term risk (defined as > 12 months after purchase), and if so how much?  This can be determined through a combination of activities. Assessing the maturity of its security program is the first step. But it’s also important to look at the acquisition target’s industry, customer base, and geographies where they do business.

The bottom line is that we’re starting to see more companies talking about and actively practicing cyber due diligence. But this is a paradigm shift for private equity firms and large audit firms which historically haven’t been focused on this issue. Through education and developing better practices, we should start to see more focus on developing more mature cyber due diligence practices.