Only a few years ago, if a technology company had suffered a hack or data breach, my recommendation probably would have been to not touch it with the proverbial ten-foot pole. These days, given the recent well-publicized hacks of companies like Target, Home Depot and Anthem (companies which have huge IT security budgets), that advice seems too simplistic.
If even the largest companies are vulnerable, you probably shouldn’t automatically refuse to acquire a company that has been victimized. In this article, I’ll discuss a framework to determine how heavily to weigh a previous hack or a data breach during M&A IT due diligence.
There are four major areas of investigation that I believe can lead to a reasonable decision.
First, you need to understand exactly what occurred. A standard IT due diligence request list should start the process by asking if the company has ever suffered a hack, data breach or other system intrusion. If the answer comes back in the affirmative, you’ll have many more questions to ask.
You’ll have to determine how critical the compromised IT function is to the operation of the business. While a hack is an important concern for all businesses, it’s even more so for others.
The unfortunate reality is that credit card data breaches are occurring on a regular basis. There’s so much mass media publicity around this issue that, in my opinion, the general public has become fairly immune to them. Yes, a hacked company’s customers must endure the inconvenience of changing credit cards and monitoring their credit reports for identity theft attempts, but they largely give the hacked company a pass. Over the long term, there may not be a significant impact on the business.
On the other hand, consider the recent Ashley Madison episode. Obviously, in that company’s line of business, privacy of customer information is the top priority, and it remains to be seen how well the company will be able to recover.
You’ll need to consider for your target company whether the fact that a hack occurred at all is a deal killer.
Why did it happen?
If you get past the first question and are still considering the acquisition, the next step is to determine why the hack occurred.
You’ll want to determine if IT best practices were in place. Did the target company have a proper multi-layer security infrastructure, including firewalls, antivirus software and intrusion detection systems? Were those components maintained properly, including prompt application of software patches and operating system updates? Were company systems being monitored for security vulnerabilities by a competent third party on a regular basis (ideally at least daily)? Had any other security audits examined the infrastructure?
Even if all of the right things were being done, there are still reasons a hack could occur.
A company could be the victim of a "zero day" vulnerability. Once a security-related software defect becomes widely known, there is still a window during which a hacker can exploit the defect before an operating system or other software can be patched by the manufacturer. This also applies to new computer viruses that don’t match an existing signature or a general profile of operation, and require a fix to be developed, tested and deployed by an antivirus company.
If the company was the victim of a social engineering attack, the fault may not lie with IT at all.
The target could also have been the victim of an "inside job." For example, if a system administrator simply provided login credentials to an accomplice, the company could be remotely compromised without it necessarily being detected, although monitoring should still be able to identify unusual volumes or patterns of activity.
If you’re comfortable that the company had a competent and comprehensive IT security plan in place, you can move on to the next question.
How was it addressed?
Recent security lapses demonstrate that hacks and data breaches will be an ongoing threat. This means that any well-prepared company should have a response plan in place.
How did the target company identify that a hack had occurred? Some hacks are obvious – the website is defaced or no longer operates. Others are more insidious. The Anthem hack earlier this year was only discovered when a system administrator noticed his account actively downloading data when he knew it shouldn’t be. A company with a good IT security plan in place shouldn’t be the victim of a long-term data breach.
A good data breach response plan should include the following features:
- A list of people on the response team
- A requirement to keep detailed records of every remediation step taken
- Immediately disconnecting / shutting down affected systems
- High level steps to identify causes of the attack, including contact information for related vendors and consultants
- Contingency plans for notifying customers and law enforcement, as appropriate
How did your target company react when the hack occurred? Did the response follow a plan or was it improvised?
The most important step is ensuring that the vulnerability that was exploited is eliminated. Some hackers leave themselves a back door that can be used even after the original security hole is patched. Sometimes the only way to be sure that all traces of an attack have been removed is to acquire new systems and rebuild everything from the ground up.
A good practice for the reaction plan is to include an outside expert. They may have seen the problem before, and in any case will be less emotionally involved – the people who allowed the hack to occur may not be the best ones to determine that it’s resolved.
Did the target have cybersecurity insurance in place? This can pay for the costs of addressing the hack, notifying customers of the breach, providing customers with credit monitoring, etc.
How will it be prevented in the future?
If after further investigation you’re comfortable that the company did everything reasonably possible to prevent a hack and responded to it appropriately, then the final area you’ll want to be comfortable with is how future hacks will be prevented.
Are there any additional procedures or security levels that can be put in place?
Is someone responsible for monitoring the cybersecurity industry for new developments and techniques?
If the company previously had an annual detailed security assessment, maybe quarterly would make sense going forward. "White hat" hackers can be hired to proactively probe the company’s IT security in a more thorough manner than automated monitoring can provide.
If the company doesn’t provide regular training to its employees on IT security issues and social engineering, it’s relatively inexpensive to implement and can be a wise investment.
Dedicated IT security personnel may be necessary. Many companies have recently introduced a role along the lines of "Director of IT Security." In any case, you’ll want to take an objective look at the competence of the IT staff and be sure you have the right team in place going forward. If the target company has already made the decision on their own to invest in more expertise, that’s a positive sign.
A previous hack or data breach at a target company is no longer an automatic deal breaker in IT due diligence. A thorough investigation of the incident, along with a review of the underlying causes and the company’s response, can help you make a reasoned determination as to whether the issue should prevent the deal from closing.