In the past year, we've seen a 437% increase in ransomware attacks, with many of those breaches occurring after a merger or acquisition announcement. Typical ransomware attacks can cost tens of millions of dollars for a larger firm due to ransom demands, loss of revenue, legal fees, incident response costs, hardware/software replacement, and increased cyber insurance premiums. Company owners, CEOs, and boards of directors are also now being held personally liable for a lack of security oversight following a breach.
Why Does M&A Activity Put Companies at Risk?
Criminals are attacking these companies for the same reason people used to rob banks: It's where the money is. If you sold a business to a large company or a private equity firm, they have a lot more resources to pay up than if you were a smaller stand-alone organization without a strong balance sheet. M&A also creates a period of transition, where new ownership and management teams are coming into or out of their roles. This transitional phase presents a perfect opportunity for cybercriminals to attack.
How Do Ransomware Attackers Operate?
The cybercriminal could use a variety of methods to get into the network. A phishing attack via email is a common and effective approach. Once they have the credentials to access systems, they can move around the networks and applications to determine where the most sensitive data is. The goals of an attacker may include intellectual property theft, ransom demands, or physical destruction of property if an attack targets operational technology (OT) systems.
If it's an intellectual property attack, they may steal product designs, pricing information, or other sensitive business information and leave without anyone knowing there was a breach. In the case of ransomware, they will obtain access to sensitive files, encrypt them — so that applications and business processes stop working — and demand a ransom payment from the company to regain access to the files. In an attack on an OT system, they could potentially tamper with a physical process, as we saw in the Florida water facility attack, or disable safety systems, as we saw in the TRITON/TRISIS attack.
What Can Companies Do to Avoid a Cyberattack During M&A Activity?
1. Evaluate cyber-risk as part of your due diligence process.
This should be a requirement for any company looking at a target acquisition — to ensure that existing cybersecurity people, processes, and technology are working and up to date before finalizing and announcing the M&A. Acquirers should ask the following questions:
- What cybersecurity controls are currently in place?
- Do you have a CISO in place or an equivalent CISO-as-a-service?
- Is your infosec team well-versed in cyberattack detection and remediation?
- Are processes in place to notify all employees that cybercriminals may be targeting the company's digital assets?
Having a cyber due diligence process will help determine if any significant gaps need to be remediated before proceeding. The people responsible should ask whether there is a cybersecurity program in place and how the program measures up with an appropriate standard. A good benchmark to use would be the NIST Cybersecurity Framework or the Center for Internet Security (CIS) Controls.
2. Create an incident response plan.
If you are compromised, knowing priorities ahead of time lets responders get through the recovery process faster and with less impact than if they need to spend the first 24-72 hours figuring out what needs to be done. Create a checklist of who is responsible for which functions. Often, the simple act of communication is missed during an incident, which can lead to additional spread of malware.
Having asset and network details for critical systems is another important piece of the response plan. In a crisis, you won't have the time to determine if you can do estimated billing when you lose your real-time data. The middle of an emergency is not the ideal time to decide if you can continue to operate with this system or that.
3. Don't present the acquisition as a soft target.
Be aware that cyberattackers may be tracking M&A activity through publicly available information and then researching what level of defense a target acquisition has in place. It's pretty simple to profile via the Internet how many information security people are on staff or what tools the company may have in place.
If it appears there is no infosec function and limited cybersecurity investments, the company may be that soft target cybercriminals are seeking. If possible, have all cyber defenses in place before going public with the merger. That press release may feel good, but if cybersecurity levels are substandard, it might be best to hold off until the prospective acquisition has beefed up its defenses.
Here's the bottom line. During your due diligence process, if you find that a target acquisition has made insufficient investment in cybersecurity or does not have a documented incident response plan, you may want to hold off on finalizing the deal until you can determine what resources are required to mitigate cyber-risk inside the company — and build that into your negotiations.