Cyber Threats Targeting Mergers and Acquisitions

Recommendations

Info

Other historical cases and risks Further evidence of a company experiencing increased cyber risks during the M&A process was demonstrated during the Marriott Corporation acquisition of Starwood Group in 2015. On November 16, 2015, the Marriott Corporation announced that it was to acquire the Starwood Hotels Group (including Sheraton, Westin, W, and Sheraton Four Points). On November 20, 2016, Starwood released a statement that it had been the victim of a point-of-sale malware breach. Third-party assessment of this acquisition questioned whether the Marriott Corporation had sufficiently probed this as a potential threat vector, as well as what impact the disclosure of this breach would have to Marriott. A note by Ernst & Young (EY) on the changes to IT infrastructure and processes resulting from mergers and acquisitions further highlights this type of risk. The note states that a proposed acquisition by a foreign organization had to be postponed indefinitely when it came under government scrutiny due to concerns that some of the software used by the acquiring company could expose the target company to “unacceptable cyber risks.” 2 This reinforces the concern that inherited infrastructure and software can represent a threat. Internal threats are another serious consideration for companies going through an M&A process. Reports have cited challenges to information security during M&A due to the perception by employees of an increased likelihood of redundancies or undesirable change. Employees are a demonstrable risk when disenfranchised. For example, on February 24, 2015 it was reported that an IT manager had used their access to an ex-employer’s servers to erase data (some of which was intellectual property). 3 Furthermore, a former employee of Gucci was charged for erasing data from and shutting down the servers of Gucci after having been fired. 6
3. Steps of the Merger/Acquisition Process While evidence shows that corporate espionage is alive and well, and that actors have been successful in infiltrating many organizations with novel and indirect approaches, it’s important to understand where in the standard M&A process attacks can occur, and why. Figure 1 - The merger and acquisition process. While each merger or acquisition process will have its own nuances, all tend to follow the five broad stages illustrated in Figure 1. The following sections provide an overview of the cyber threats an organization is likely to face at each of these five stages. Preparation for acquisition and/or valuation The first identifiable stage of the process is the preparation for the acquisition or valuation of an organization. At this point, even though an official announcement has not been made, an organization is already vulnerable to threats. The potential buyer and the seller are both potential threat vectors. Organizations may take steps to make themselves more appealing to deal makers – perhaps through activity such as a second round of funding or other business decisions. Keen financial analysts may draw conclusions for themselves based on this activity, examples of which can be seen in public news posts such as Fortunes’ Term sheet blog, or as a result of inadvertent data leakage on social media or blogs. Sensitive information need not be explicit, however. As Figure 2 demonstrates, company-published job postings to sites such as LinkedIn looking to hire someone with M&A experience, or a person that would typically lead or be involved in the process such as a corporate development executive, can be a clue that M&A activity is in the offing. 7
Page 1 and 2: Cyber Threats Targeting Mergers and
Page 3 and 4: Executive Summary Global merger and
Page 5: 2. Associated threat actors While c
Page 9 and 10: Marketing Marketing plays an import
Page 11 and 12: Conclusion There is demonstrable ev
Page 13 and 14: 6. Standards and Compliance • Lis

Cyber Threats Targeting Mergers and Acquisitions

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?