Cybersecurity Red Flags When Acquiring A Company
Marriott recently suffered a major loss when its recently purchased Starwood division was found to have been breached two years before the acquisition. This should be a learning experience not just for major corporations but for any organization thinking about purchasing another entity with a computer system.
As part of its due diligence a company would want to examine its target’s financials, physical assets, and insurance program for possible red flags. Marriott’s experience shows the need to review their cybersecurity. Stan Lowe of the Forbes Technology Council lists ten red flags to look for:
- Missing, weak or poorly documented security practices can signal information assets are poorly protected.
- No audit history indicates a poor approach to information management and legal liability in the event of a breach.
- Poor inventory tracking – a potential acquisition should have a list of its hardware, software and data assets.
- Poor application tracking – the IT department should know their users and what applications they are using.
- No defined security boundary. A computer network should be designed with clearly defined security ingress and egress points and boundaries.
- Reliance on remote local administration (or for small companies, no controls on remote off-premises devices).
- No multi-factor authentication. Two factor authentication is considered the bare minimum for security.
- Underfunded or undefined security budget.
- Lack of architectural discipline. A poorly managed system is vulnerable to a breach.
- Poor integration with business processes. Cybersecurity should support the way employees work. Policies should address remote, cloud and mobile access.
The full post is at: https://www.forbes.com/sites/forbestechcouncil/2019/02/12/dont-buy-a-breach-ten-cybersecurity-red-flags-to-look-for-during-ma-due-diligence/#74a41.
Finally, some thoughts on cyber insurance. If the target company has a “cyber”policy it should include an extended period to report claims made after expiration or cancellation. Major acquisitions (usually but not always over 25% of the acquiring company’s assets) must be reported with full information to underwriters for continuing coverage. Known claims or incidents will be excluded from the acquiring company’s policy.