Cybersecurity Red Flags When Acquiring A Company

Cybersecurity Red Flags When Acquiring A Company

March 1, 2019 Business Insurance and Risk Management, The Beacon Blog 0 Comments

Marriott recently suffered a major loss when its recently purchased Starwood division was found to have been breached two years before the acquisition. This should be a learning experience not just for major corporations but for any organization thinking about purchasing another entity with a computer system.

As part of its due diligence a company would want to examine its target’s financials, physical assets, and insurance program for possible red flags. Marriott’s experience shows the need to review their cybersecurity. Stan Lowe of the Forbes Technology Council lists ten red flags to look for:

  1. Missing, weak or poorly documented security practices can signal information assets are poorly protected.
  2. No audit history indicates a poor approach to information management and legal liability in the event of a breach.
  3. Poor inventory tracking – a potential acquisition should have a list of its hardware, software and data assets.
  4. Poor application tracking – the IT department should know their users and what applications they are using.
  5. No defined security boundary. A computer network should be designed with clearly defined security ingress and egress points and boundaries.
  6. Reliance on remote local administration (or for small companies, no controls on remote off-premises devices).
  7. No multi-factor authentication.  Two factor  authentication is considered the bare minimum for security.
  8. Underfunded or undefined security budget.
  9. Lack of architectural discipline. A poorly managed system is vulnerable to a breach.
  10. Poor integration with business processes. Cybersecurity should support the way employees work. Policies should address remote, cloud and mobile access.

The full post is at:

Finally, some thoughts on cyber insurance. If the target company has a “cyber”policy it should include an extended period to report claims made after expiration or cancellation. Major acquisitions (usually but not always over 25% of the acquiring company’s assets) must be reported with full information to underwriters for continuing coverage. Known claims or incidents will be excluded from the acquiring company’s policy.

About the Author

Harry Cylinder

Harry Cylinder, CPCU, ARM has spent nearly fifty years in the insurance industry, the majority of the time as a consultant. He has been employed by The Beacon Group of Companies since 2008, specializing in the review and analysis of property and casualty coverage forms. Mr. Cylinder has been reviewing policy forms as they have evolved over the past decades. In 2008 he published an article in the CPCU Journal which was the first description of cyber insurance coverage for a general insurance audience. Since that time he has regularly written on cyber and other topics for The Beacon Companies’ blog.