2022 M&A Cyber Checklist
The mergers and acquisition process in 2022 is not going to be business as usual, at least not with respect to cyber considerations.
The cyber threat environment is so serious and there are so many new cyber aspects companies need to consider in M&A that we have developed the Leader’s Edge 2022 M&A Cyber Checklist to help ensure the “biggies” get considered.
Issue: Hybrid Workers
In M&A due diligence, it is important to evaluate how and where employees work and what the plans are for returning to offices versus working remotely. Essentially, cyber-security controls must be adjusted to accommodate a mobile workforce. Many workers want to work part-time in satellite offices instead of commuting to headquarters, and co-working spaces are gaining popularity in residential neighborhoods and urban areas. Satellite offices may also include satellite connectivity, which is a new frontier in cyber security that may leave data less secure and make tracking and tracing cyber criminal activity more difficult.
M&A due diligence must evaluate all working environments and ensure the networks are secured, communications are encrypted, mobile devices are registered with a mobile device management (MDM) solution, and appropriate configuration settings and policies and procedures are in place to enable workers to operate securely from their home, satellite office, co-worker space, or main office. There should also be an evaluation of administrative, physical and technical controls (including monitoring) in each working environment to ensure that company data are not more vulnerable in one environment than another.
Issue: Mobile Device Threats
Mobile devices are now considered a work tool and are no longer just used for phone calls and checking email or texts. More than three quarters of tech professionals say they rely on at least four applications on their phone. Two thirds of companies have a bring your own device (BYOD) policy, and according to a recent report from Zimperium, an additional 11% are considering adding one this year, bringing BYOD up to 75%.
Attacks on mobile devices are rising as attackers figure out how to exploit the mobile software security ecosystem. The Zimperium report states that about a quarter of mobile devices were infected with malware last year and 13% had data intercepted in machine-in-the-middle attacks. Most alarming, Zimperium reported a 466% increase in zero-day attacks on mobile devices in 2021.
M&A due diligence should include an evaluation of mobile device usage, whether an MDM technology is deployed, what applications are used, and what data are accessed. In addition, if strategic or confidential information is accessed or stored on phones, a review should check for protections against spyware.
Patching software is certainly not a new topic, but it is all the more important now due to (1) “clickless” attacks that take advantage of known exploits to enter a system and deposit malware and (2) a significant increase in zero-day attacks. Rapid7’s “2021 Vulnerability Intelligence Report” indicated there were twice as many zero-day attacks in 2021 than in 2020 and exploitation was reduced from 42 days in 2020 to 12 days in 2021. This means there were twice as many unexpected patches to apply. More than half of the vulnerabilities were exploited within a week of disclosure.
Patching can be a burden, especially for small and midsize businesses, but it can also be a struggle for large organizations due to the sheer number of devices that need to be patched, especially if they are not all online when the patch goes out. M&A reviews of cyber-security programs should take a close look at patching processes, especially patches out of the regular cycle and patches to non-Microsoft software. (Microsoft has a regular monthly “push” for patches, which helps companies ensure all available patches are applied, but non-Microsoft software patches may require manual patching if a patching software tool is not in use.) Cyber criminals take advantage of vulnerabilities in popular non-Microsoft applications because they can remain vulnerable longer if patching is delayed.
Issue: Network Segmentation
Network segmentation can be one of the best defense mechanisms an organization can use, but often it is an overlooked capability. It effectively divides the network into “rooms,” and only those authorized can go into the rooms and conduct certain activities, such as point of sale, guest wireless, financial and HR systems, operational technology (OT) and industrial control systems (ICS).
“If a network is segmented, the reviewer should check the authentication process for users and their entire access authorization process,” notes John Cavanaugh, president of Internet Infrastructure Services Corporation. There are also technical considerations, such as firewalls and configuration settings. “A firewall in front of each segment will check the traffic coming into the room and must be configured properly,” he notes. Firewalls can also control ports and inspect packets to ensure the user and message integrity.
Any discussion of segmentation causes one to recall the Target breach, which was so serious because the network was not segmented and the attack was able to traverse the entire network and exfiltrate additional personal data on Target customers. M&A due diligence should include an evaluation of network segmentation and associated configurations.
Issue: Critical Infrastructure Sectors
Critical infrastructure sectors are particularly at risk for nation-state attacks or serious ransomware attacks because the disruption of their systems can seriously impact civilian populations. Since the Russian invasion of Ukraine, governments around the globe have warned organizations to be on high alert and to improve their cyber-security controls. M&A involving a critical infrastructure company should pay close attention to the maturity of its cyber-security controls against best practices and standards, backup and recovery process, incident response plan and testing, and risk transfer strategy.
Agents and brokers have a special role to play in helping their clients in these 16 sectors ensure their M&A targets have adequate cyber insurance and other coverage that could be triggered in a cyber attack. In particular, they can advise their clients on war exclusions and hostile act exclusions and help them understand whether the language in their policies covers possible cyber attacks involving nation-state or hostile actor activity.
Following the NotPetya attacks in 2017, which were blamed on Russia, and subsequent litigation over whether insurance claims could be excluded based on the war or hostile act exclusions, the insurance industry has begun to tighten war exclusion language. In early 2022, Lloyd’s of London released four versions of cyber war and cyber operation exclusion clauses, with varying levels of coverage. Some carriers are doing the same. The use of independent cyber insurance lawyers to review policies as part of M&A due diligence is not just smart—it is essential.
Issue: Incident Response Plans
M&A due diligence must include a thorough review of the target’s incident response plan (IRP) and testing that has been conducted. If an organization does not have a well-developed IRP that is capable of guiding the organization through a multipronged attack scenario, it is not prepared. Plus, this gap may indicate that incidents have occurred that were not detected or properly documented. This should trigger a closer review of whether prior incidents have occurred.
In addition, the newly enacted Cyber Incident Reporting Act requires critical infrastructure companies to report “substantial cyber incidents” within 72 hours and within 24 hours if making a ransomware payment. Defense contractors also have cyber incident reporting requirements, which require reporting of a cyber incident to the contracting officer.
M&A due diligence should check whether privacy and cyber-security compliance requirements, such as reporting and breach notification, have been implemented in the IRP. “Of the many areas that can be examined in M&A due diligence, the IRP plan and the activities surrounding incident response are some of the most important and should be addressed at the start of the due diligence, not at the end,” notes Roland Trope, of Trope and Schramm and co-editor of Cybersecurity Due Diligence in M&A Transactions, published by the American Bar Association.
Information technology underpins nearly all business operations. It is important to understand the maturity of the target company’s cyber-security program and the risks and consequences of cyber attacks on its operations. Again, this checklist is not intended to encompass all cyber due diligence activities, but it is intended to draw attention to the most important activities where insurance agents and brokers can assist their clients in managing M&A risk.