Expanding our global footprint with Ian Thornton Trump as our first CISO in the UK LEARN MORE >

Services

We’re a selected team of skilled cybersecurity professionals who work as an extension of your IT staff, as well as best-in-class technology to add an additional layer of protection to your organization.

View our Managed Services
Ask About Our Outsourced Cybersecurity Program

Our comprehensive outsourced cybersecurity program leverages advanced technology and expert professionals to enhance your security without the need for in-house capabilities.
 

Learn more

Partners

We collaborate with best in the business to ensure our customers receive the highest levels of care and support. These trusted relationships allow us to better serve and educate our customers.

Regional Partner of the Year Award

Partner of the Year Award

Why Inversion6

With an abundance of solutions and providers, the task of choosing the right option is critical and can sometimes be overwhelming.

industry validation

"Thanks to Inversion6, we now have an established protocol and response procedure whenever incidents are detected. Now, we are able to act immediately to prevent a security event from becoming a larger incident."

Read Full Story

Resources

Our experts are thought leaders in the cybersecurity space. From blogs to publications and webinars, check out these resources to learn more about what’s trending in our industry and how you can stay ahead.

Why Cybersecurity Should Be Driving Your Enterprise Risk Management Strategy

By Christopher Prewitt

Read Article
Latest Inversion6 Press

CISO Craig Burland’s latest byline in Cyber Defense Magazine discusses the importance of accountability in cybersecurity.

View Story
February 5, 2020
By: Jack Nichelson

The Importance of M&A Cybersecurity in Company Acquisitions

M&A cybersecurity is a critical first step when a company is considering an acquisition or if companies will be merging. Learn more about M&A cybersecurity.


Mergers and Acquisitions Are Prime Targets for Cybercriminals

Mergers and acquisitions (M&A) are one of the best ways for companies to achieve their growth goals, both quickly and over the long term. By bringing another organization into their portfolio or combining their efforts, valuations soar, customer bases increase dramatically, and capabilities expand exponentially. 

Historically, M&A was intended to add to what an organization could do or achieve. Perhaps a competitor had a specific product line or service offering. By acquiring that competitor, an organization could instantly take ownership of that company’s market foothold, gain their intellectual property or service lines, and combine these with its own capabilities to command a stronger market share.

And while M&A is nothing new, the focus has now shifted from capabilities (though these are still important) to data. Virtually every organization now operates with significant amounts of data as its foundation. This data is generated en masse each and every day, but with that data and the intent to acquire or merge it with that of another company comes risks. Hackers and other cybercriminals view M&A as an ideal opportunity to breach networks; steal sensitive data; and cause all manner of legal, operational, and financial havoc. 

M&A cybersecurity incidents aren’t decreasing, either. In 2018, several high-profile companies were hacked or experienced data leaks as the result of a merger or acquisition. In each instance, hundreds of millions of accounts and files were compromised. According to a recent Donnelley Financial Solutions/Mergemarket survey, 80% of global dealmakers said they’ve uncovered data security issues in at least one-fourth of their M&A targets in the previous two years.

When incidents like these occur, it can have a significant impact on the terms of the deal, particularly for the target — i.e., the company being acquired. When it comes to acquisitions in particular, the goal of the target is to maintain a certain valuation. This is a goal for the acquirer as well, particularly because the target can influence the acquirer’s stock price and more. But if the target experienced a security breach in the past, or was still in the process of recovering from one, their valuation — and that of the acquirer — can quickly suffer.

For example, Starwood — a major international hospitality organization — was acquired in 2018 by Marriott International. Just a few days after they announced the acquisition, Starwood disclosed a security breach leading back to 2014 in which more than 500 million guests were impacted, resulting in credit card data, passport numbers, loyalty program accounts, and more were all compromised. The result? A 5.6% decrease in Marriott’s share price and, at the time, a potential $200 million fine. 

When Yahoo Was acquired by Verizon in 2017, they disclosed two previous data breaches (500 million accounts and more than one billion accounts respectively), which resulted in the company’s sale price being reduced by $350 million! While the acquisition moved forward, determining how to manage the resulting risks and liabilities was no easy feat — a variety of negotiations and legal parameters were put in place to minimize Verizon’s involvement.

Effective M&A Cybersecurity Starts Earlier Rather Than Later

For many organizations, the decision on when to start a proper cybersecurity posture assessment (i.e., where a company stands in terms of their cybersecurity health) and determination of potential vulnerabilities isn’t always crystal clear. It makes sense to start the process as early as possible, but unfortunately, not every organization — even those that are actively involved in mergers and acquisitions as part of a long-term growth strategy like private equity firms — are able to start as early as they’d like. 

Oftentimes, resources are the leading constraint. A study conducted by Forescout Technologies in early 2019 revealed that only a third of respondents felt they have sufficient time to conduct a cybersecurity assessment of the target’s processes and protocols before their company had moved on to the next acquisition. Among information technology decision-makers (ITDMS), only 37% felt that their teams had the necessary skills to conduct such an assessment.

But when it comes to timeline, this same study revealed that one-third of respondents started their M&A cybersecurity assessments in the late pre-deal phase, with another third starting the process in the pre-announcement and post-announcement phases. For the latter third, the risk of an existing incident being found as well as a new incident occurring increased dramatically, simply because the target’s technology was not reviewed earlier. Slightly less than 40% of respondents said they started the assessment in the M&A strategy step, which is an earlier portion of the pre-deal phase — and the best time to start.

With more and more organizations using M&A as part of their growth strategy, it’s more critical than ever to start this process as early as possible. However, it’s important that M&A cybersecurity assessments continue on well past the pre-deal stage into the integration and post-integration stages. In these phases, the truth of a target company’s cybersecurity strategy and practice will be brought to light — and the acquirer must be prepared to not only address any problems it encounters but also to prevent them from becoming problems in the first place.

In our next post on M&A cybersecurity, we’ll explore six categories that acquirers should consider in the due diligence process. By paying close attention to these six categories, acquirers and their counsel teams can ensure that the acquisition agreement has the most accurate picture possible of the potential cyber risks and vulnerabilities present or that might threaten a target’s security — and subsequently their own.

If M&A is On Your Radar for This Year, Let’s Talk

If your organization is considering acquiring one or more companies this year, or if you’re considering a merger, Inversion6 can assist you in conducting a complete cybersecurity assessment. We’ll help your teams identify potential threats and vulnerabilities present in the target’s systems and develop a plan of action to mitigate those risks. Fill out the form below to get in touch with one of our chief information security officers.

 

Post Written By: Jack Nichelson
Jack Nichelson is a Chief Information Security Officer for Inversion6 and a technology executive with 25 years of experience in the government, financial and manufacturing sectors. His roles have included leading transformation and management of information security and IT infrastructure, data management and more for organizations in numerous industries. Jack earned recognition as one of the “People Who Made a Difference in Security” by the SANS Institute and received the CSO50 award for connecting security initiatives to business value. Jack holds an Executive MBA from Baldwin-Wallace University, where he is an adviser for its Collegiate Cyber Defense Competition (CCDC) team. He is certified in the following: CISSP, GCIH, GSLC, CRISC, CCNP, CCDA, CCNA and VCP.

Related Blog Posts

Let's TALK

Our team of experts in information security, storage, and networking works alongside your team to implement technology solutions that are smart, flexible, and customized to fit your needs. Ready to learn how we can help strengthen your technology environment? Fill out the form below to get started.

TALK TO AN EXPERT