Cybersecurity should be a consideration for both the buyer and the seller in the transaction process. Sabrina Serafin, FD Partner and National PRG Practice Leader, interviews Patrick Kelley, Chief Technology Officer of Critical Path Security. Patrick explains how companies can successfully navigate the data security assessment aspects of due diligence to achieve a successful merger.
Culture of Compliance: Cybersecurity Challenges: Data Protection in the M&A Process
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina Serafin Welcome to Frazier & Deeter’s Culture of Compliance podcast series, where we discuss compliance as a competitive advantage in today’s marketplace. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk, and Governance practice.
Today, we’re happy to welcome Patrick Kelley, the chief technology officer of Critical Path Security, a company focused on helping mid-sized companies increase awareness of information security issues and enhance their security posture.
Today, we’d like to discuss security in relation to due diligence during the merger and acquisition process. Patrick, I know you regularly speak on the topic of cybersecurity, but can you give us some background about where that focus came from for you?
Patrick Kelley Yes. Over the last 20 years, I’ve spent the majority of that time working with companies to understand cybersecurity and how it applies to business risk. That’s been my goal over that time to find efficient and innovative ways for companies to increase their security posture, reduce their risk, and in ways make their companies were more efficient.
Sabrina We’re excited to have you here today. Our firm works with many mid-sized businesses and most at some point consider an ownership change, so this is a topic that’s really relevant to our listeners. We wanted to look at this topic both from the perspective of the buyer and the seller.
So first, let’s look at buy side. Assuming that we have listeners who are considering an acquisition, talk to us about some of the questions they should be asking as they consider whether the target company is really a match for them.
Patrick There are a lot of components that go into mergers and acquisitions and especially a company that’s looking at doing an acquisition. First and foremost, there’s cultures, technical challenges that come along when you’re when you’re marrying two different organizations together. I also find that companies that are doing the acquiring generally have a greater maturity and the stronger security posture than the company that’s being acquired, and this could be for multiple reasons.
So, the questions they should really ask are, was the company operated at the same maturity level or close to the company that’s making the acquisition? Are there some synergies between the technology teams when it comes to lining these things up? Do they have the skill set required and the same topology set they’re using? It’s going to make gluing these two totally different companies together in a way that they can move forward in lockstep.
Sabrina You have some examples that you can share with us?
Patrick I think a company that’s going to go into an acquisition process, especially if the company is doing the acquiring, they have to make sure that they understand exactly what they’re getting. If we look at Starwood Marriott, they had some particular challenges that have led us in the same challenges that are organizations; some of those were previous breach behaviors that were inside the organization.
Four years prior to the actual merger and acquisition process, they suffered a data breach. As we go forward through the processes in doing the acquisition, it appears that they didn’t do proper due diligence and due care, and that leads into did they do a proper asset catalog? Do they know exactly what they’re picking up from servers and data and where that sensitive data lived? Have they gone through and looked at previous audits in a way that would give them full disclosure into exactly what they were acquiring?
You fast-forward quickly through the process of acquisition and we find that Starwood breached again. Unfortunately, at this point in time, that breach also spread into Marriott too and it led to some significant challenges. The last I looked, the amount of the dollar amount associated with the class action suits was larger than the total amount that Marriott paid to acquire Starwood. So, when we look at these situations, we understand that third party relationships can bring some of these threats and bring some of these problems to bear, which are if Starwood was performing the managed IT and managed security roles to a third-party vendor instead of doing that internally.
We wonder if they truly had a champion or someone internal that was driving these initiatives to not only continue as a business, but to make sure that the user data that they were protecting and their leveraging and the inside the organization was being properly secured. I think we can look now and empirically say that that didn’t happen. In the course of four years, they suffered two data breaches and then remnants from the original data breach were still in place, which tells us that Marriott wasn’t really doing proper due diligence and due care before they were acquired and then when Marriott picked them up, they didn’t go in and do proper investigation into what they were picking up as well.
We move forward in time and since those things weren’t addressed properly at the outset before a letter of intent was shipped, we know that now that breach spread to Marriott and it was a breach that contained information that we had not really seen up to that point in bulk release. It was passport photos, driver’s license, allergies, preferences when they stayed, who they stayed with; there’s a lot of really sensitive information that just went farther than your typical social security number or credit card. So, when we start looking at how this started party relationships kind of lean in and how not doing that proper due diligence due care in the outset will cause problems.
Additionally, we look at Home Depot, which they suffered a breach due to third party vendors. We look at Target, which their breach came in through a third-party vendor. I think it’s imperative that when an organization decides that they’re going to do an acquisition, you have to look at the policies and procedures that are in place in the organization that’s being acquired. You have to make sure that those things are actually being enacted and they’re being executed on a day to day basis.
You have to understand exactly what you’re acquiring because the days of us going in and acquiring a company and not having such a large cyber security component are very much in the tail lights and they’re way in the past now. If we’re not looking at these things intelligently and truly understanding how these things collide, I think we’re going to find some significant problems not just in the acquired company, but there in the company that’s doing that acquisition.
Sabrina Excellent examples, and examples that are widely understood by the marketplace. How would you suggest an acquiring organization provide comfort or test discretely, particularly during at a time when a lot of the activity is not necessarily public?
Patrick That’s a great question because it’s a tough question, and it’s one that we spent a great amount of time thinking on here at Critical Path. People are the most important part of an acquisition, from the fact that you’ve got to bring them on to keep the company moving forward through that process. Additionally, you don’t want employees that come to understand that there’s an acquisition in place sabotaging those things. I’ve heard that there’s 100 ways to kill an acquisition and there’s one good way to make it work, so we had to look at this problem very carefully.
How would we test security? How would we get proper assets catalog of what those things would be without raising alarm inside the organization? We started building a device that when you plug it into the network, it looks like an iPhone, a printer or a copier. We will go on site to a company, usually as a vendor that’s doing something absolutely different than cybersecurity, and we’ll do a quick walkthrough. Oftentimes, we’ll go in under a HVAC or a maintenance role. Look around, see what devices are sitting in the corner like the Konicas or the Minoltas, and then we deliver a box that’s about the size of a deck of cards.
When you plug it into the network, it looks identical to a copier on the network traffic side. At that point, we’re able to slowly take a look at assets that we’re hearing from on the network traffic and this is done entirely passively. So, short version, when you have a security audit done, typically it’s a very quick interrogation of all the devices that are on the network. So, if you have servers, phones, multifunction copiers, projectors, you’re going to poke all of these things in rapid succession to see what you can learn about them.
We built a device that goes very slow at just interpreting the traffic that we see. The reason we do that is it doesn’t trigger any alarms. It doesn’t tell an organization that there’s an active threat on the network, that they need to be alarmed. I think that’s a most important side, because the company needs to know what they’re acquiring. At the same time, we have to be very careful not to blow up that acquisition process.
Sabrina Thank you, Patrick. It’s great to hear that. Let’s shift gears to the sell side. You’ve already given sellers something to think about, what advice do you have for business executives moving towards a transaction?
Patrick Yeah, we see this quite a bit and we have a lot of conversations around this topic. The challenges we see before we get into the kind of solution of it is many companies that are growing for acquisition were intentionally built to sell. So, if you look at some of the platforms and the things that are coming out of Silicon Valley, the machine learning and artificial intelligence, many of those companies were built to run as lean as possible because they don’t really have a 20-year focus in mind.
They’re wanting to go for acquisition in five years, so your maturity of the cybersecurity and your maturity around regulatory compliance and an asset management is going to be pretty light. If you’re taking a company that was built to go really quick and go straight for acquisition and you’re going to acquire that, say, as Google or HP or IBM, a company that has been around for a very, very long time and they understand cyber security very intimately. You’re going to have some significant challenges there because one is going to be really slow and it moving through that security posture and increasing it and the other one has been protecting their security posture for decades.
The other is we find companies that are struggling and they have probably burned a majority of their resources trying to just hold on. And weather a storm, we particularly saw this around 2007 through 2009, and it’s possible that we’re going to see it again now in 2020 with things that are going on and where owners of these organizations are holding on as long as they can and they’re digging deep into their pockets personally and organizationally to keep all of the staff on board and they’re trimming all the expense.
There will come a time that they may determine that that’s not possible, which means a lot of the things that they were doing to keep things secure and to keep things well up to date and regulatory compliance, they’ve had to discard. The individuals that maybe were running those and championing those efforts have probably had to be laid off, terminated or furloughed, so that introduces some other challenges. My recommendation to companies that are wanting to separate themselves for acquisition is go through the processes and do the audits, not just the audits that fit in the scope.
There are companies that must adhere to PCI audits or they must adhere to GDPR audits, and quite often they’ll only truly investigate and keep proper asset counts and understanding around just what fits in scope, and what fits in scope maybe just 25% of the entire organization. My recommendation is that you look at everything, whether it’s in scope rates or it’s out of a particular regulatory compliance scope, because you’re not going in to acquire to buy just the PCI or just to the GDPR portion. You’re going to them to buy the entire organization, and being able to present yourself as a company that has taken the time and you’ve thought ahead and understand what the challenges are between gluing a small company and a large company together in a very young company and a very old company together.
That sort of understanding and foresight is really going to perk up the ears to those who are looking to invest and buy your organization. Again, kind of the short version of it. You want to make sure that you go through the processes and make sure that you’re really looking at the entire problem, and you’re looking today how your company is going to be glued into another one and make sure that it’s built in a way that connecting those entities and those organizations are going to be more seamless or streamlined.
Sabrina Let me ask you, they say the kitchens and bathrooms sell houses, so what’s the smart place to focus? If you need to up your game to prepare to sell your company, what is the key areas you would suggest people focus on?
Patrick To me, I always start at policies, procedures, guidelines and standards. I know that we spent a long time looking at technical controls and we talk about the different firewalls and the different artificial intelligence, things that you can buy and apply to your organization. But the thing to keep in mind is that the policies, procedures, the guidelines, the standards, those things are going to determine what you need to apply from a technical point of view to make your company better.
Going and buying blinky light boxes to put in your network rack, it’s not going to convey that you’re a mature company, it’s just going to convey that you know how to buy things. So, when you’re looking at things like the Baldrige framework for cyber security excellence, they start with identify and then determine what you need to do to secure that thing and then figure out how you’re going to protect it and figure out how you’re going to respond should something happen. Detecting, identifying, and detecting threats against responding and then recovering from an incident, those are things that are not defined by the boxes and the gadgets that you have in the network, those are defined by the paperwork.
I highly recommend that you work with legal, whether it’s internal or it’s outsourced. You work with cyber security company, whether it’s if you want to do that internally or if you have an outsourced group, that the documentation defines what tools you need to address the problem. You can’t buy tools to address a problem until you’ve defined what it is. It’s similar to building a car without sketching out and designing what that car is going to be.
So, my advice is to make sure you spend the time around building out those policies, procedures, guidelines, and standards, make sure that they apply to the organization. Make sure that you can act on them, and because when you set that paperwork down in front of someone or an organization or legal that’s trying to move you through an acquisition, that’s going to be the thing that they live on, that’s going to be the thing that they understand. Knowing that you bought four or five anti-malware boxes and put them in a rack doesn’t necessarily convey to business risk that it’s just a tool, it’s over in a tool box.
Sabrina Great point. Thank you so much, Patrick. I appreciate you being with us today and helping our listeners think about the cyber security side of transaction due diligence. It’s been great talking to you today.
Patrick Thank you.
Sabrina To our listeners, thank you again for tuning in to Frazier & Deeter’s Culture of Compliance podcast. Please join us for our next episode as we continue to discuss transforming compliance requirements into investment in your business.