Given the rise in third party breaches, including successful wide-scale attacks against major technology providers such as Solarwinds and Microsoft, Third Party Risk Management (TPRM) is becoming a critical concern for security teams responsible for the secure integration of third party systems and infrastructure during mergers and acquisitions. 

M&A Process Changes

The due diligence process is no longer limited to the traditional concerns around finance, contracts, liabilities, information technology, and key man risk. Cybersecurity is now a major focus during the M&A process. 

With limited review time to evaluate security risks, firms engaged in mergers and acquisitions must hone in on specific areas of cybersecurity and dangers including “outside the firewall” if they are to successfully identify and mitigate risks associated with their investments.

Here are 6 focus areas M&A firms should evaluate in their due diligence process:

1. Security Engineering and Operations Management
Maturity levels vary between organizations, but a moderate sized company lacking contemporary security controls, such as identity and access management (IAM) or vulnerability management systems, tends to be a red flag that larger issues may exist that investors and firms should be aware of.

2. Vulnerability Management
Many organizations still lack an effective vulnerability management capability and seemingly struggle with asset inventory, configuration and release management, and timely patch management. 

3. Endpoint Security Management
An effective endpoint security management solution must match the sophistication of threats targeting a business. End user systems and devices are a primary access vector utilized by attackers for initial access into corporate networks.

4. Network and Data Access Management
Effective network and data access management is a challenge for companies small and large, increasingly so with geographic expansion and today’s remote workforces. Legacy network architectures still plague many organizations.

5. Incident Response Management
Organizations often lack incident response management capabilities and struggle with integrating emerging technologies, enhanced monitoring, and the establishment of playbooks and processes.

6. Adversary Emulation
Adversary emulation assessments and red teams are great tools for testing security controls and evaluating existing threat detection capabilities. Due to resource constraints, small and medium sized businesses tend to rely on external vendors with inconsistent results.

Goliath Cyber is here to help Evaluate Cybersecurity Prior to any of your Mergers and Acquisitions to help lessen the potential negative impact poor cyber hygiene can have on a business acquisition.


Comments are closed