Back to Blog Home

The necessity of security risk assessments during mergers and acquisitions

A security risk assessment is absolutely vital to ensure the strength of the newly integrated security fabric during M&As.

Security assessments and penetration testing are well-established tools for staving off risk. But even when an IT security team believes they have SecOps handled, a merger or acquisition (M&A) introduces unknown variables. M&As are often a monkey wrench thrown into IT security, introducing a foreign environment into the existing network—often on an aggressive timeline.

Integrating multiple IT landscapes tends to be chaotic. The confusion of keeping track of numerous systems and data, as well as incorporating new applications (internally and externally), can strain the company’s infrastructure and IT resources. Vulnerabilities can be easily introduced and overlooked during this time.

The complexity of M&A events means that assessing risks and performing security testing before, during, and after a merger is even more vital than usual to ensure the strength of the newly integrated security fabric.

Also read: What to look for in a cloud security partner

Why assessing your security posture during M&A is vital to business continuity

The critical role of security risk assessments during mergers and acquisitions was demonstrated in 2016 when Marriott International bought Starwood Hotels. Little did Marriott know that hackers had discovered a vulnerability in Starwood’s reservation system two years prior.

The consequences of this undiscovered breach included:

  • The compromise of over 500 million customer records globally.
  • Fines totaling over £18.4 million ($22.4 million at the time of writing) from the GDPR and the UK Information Commissioner’s Office (ICO).
  • An ongoing class action suit on behalf of the customers whose data was exposed.

Another significant breach occurred in 2017 when Verizon acquired Yahoo!. This event highlighted two data breach nightmares (which were undisclosed to Yahoo!) that further demonstrated how critical penetration testing is during M&As.  

The first breach exposed the personal data, unencrypted passwords, and security question answers of some 500 million users. The second breach involved 1 billion compromised accounts. Yahoo! argued that it was not liable because the passwords were protected with the MD5 algorithm (a message-digest algorithm). However, by 2017, MD5 was already obsolete due to the ease with which it could be cracked with the off-the-shelf technology of the time.

In the aftermath of the Verizon-Yahoo! Breach, the SEC issued new guidance for cybersecurity disclosures. In the updated guidelines, companies, shareholders, and customers must be informed of a critical data breach. The updated guidance for 2023 requires that essential “materiel” breaches be disclosed within four days.

In the case of both of these catastrophic instances, security risk assessments and penetration testing could have easily prevented the undisclosed breaches. These two crucial services expose potential risks and reveal exploited vulnerabilities.

Also read: To effectively protect network infrastructure, IT security technicians need to leverage both offensive and defensive tools

The initial steps of effective security assessments

A security assessment analyzes risks for security architectures, programs, or both. Evaluating security architecture includes quantifying a company’s infrastructure and security protocols compared to a cybersecurity best practices framework such as the Center for Internet Security’s (CIS) Critical Security Control or the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

Security program assessments appraise a company’s security policies and the risks to those policies by using one of these well-established frameworks. Both CIS and NIST rely on interviews. An assessor walks through a series of questions with the InfoSec team, and they examine every control question in the framework in detail.

Then, the team compiles a report of the interview’s findings that compares the organization’s security fabric to peer companies in the same industry. An additional component of the security architecture assessment is the hands-on test conducted by the assessor against the company’s “gold” workstation and server deployment images. The results of both tests are integrated into the final report, giving InfoSec teams a complete picture of their security posture, including strengths, weaknesses, and vulnerabilities.

Also read: The role of security in digital transformation

Time-boxed versus continuous penetration tests

Time-box tests are a snapshot of an organization’s security processes at a given time. They are a valuable tool (and could have easily prevented the M&A worst-case scenarios previously discussed). However, due to the speed of emerging cybersecurity threats, they are no longer a best practice.

Continuous penetration testing is the current best practice. These tests continually scan for attacks and vulnerabilities. They generate periodic reports that are comparable to show changes over time.

The gold standard of security

Continuous penetration testing is now the best practice because the frequency of testing quickly and efficiently reveals vulnerabilities that might be accidentally introduced into the IT environment through M&As. These continuously deployed tests detect vulnerabilities regardless of how the new systems are incorporated—whether through phased integration of acquired systems or by the remediation of previously detected vulnerabilities. These security efforts can be implemented in-house or through a managed service provider.

If your company is about to embark on a merger or acquisition, it is imperative to conduct security assessments and penetration tests on existing infrastructure and the M&A target’s environment. Despite SEC regulations, an acquired organization may fail to disclose potential vulnerabilities, either willfully or because of undetected vulnerabilities. The only way for both parties to know what they are getting into is to rely on security risk assessments and penetration tests before the merger or acquisition occurs.

As a trusted third-party security provider, OnX Canada offers best-of-breed information security practices. Our dedicated security testing team provides services ranging from security architecture and security program assessments to continuous testing as a managed service. Questions about security assessments? Get in touch with our team to learn more.