Page 84 - Cyber Defense eMagazine March 2024
P. 84
may have a material impact on the value of a company. Additionally, the company may be
financially, civilly, and legally liable if the SEC has not been notified of the material breach.
7. Is the company at risk of insider threat from disgruntled employees offering company data or
services on the dark web?
8. Has the M&A entity or its supply chain been breached, or is a breach likely, which could result in
leaked details about their M&A activities on the dark web?
Organizations that purchase or merge with another entity inherit cybersecurity risks. Unfortunately, many
companies do not conduct adequate cyber risk assessments to determine if a potential acquisition has
been breached or if there are precursors of a breach available to the threat actor to breach the company
if they elect to. This lack of exploration can increase the risks of inheriting compromised companies and
their networks. In the fast-paced world of M&A, it can be increasingly more work to control cybersecurity
risks. At the same time, information security departments may need more personnel and resources to
mitigate discovered cyber threats.
Many factors impact a company’s stock price. Without polling investors, it is unclear whether a stock's
decline after a breach disclosure is due to correlation or causation. The Starwood breach was a
significant unknown breach that existed before and after its purchase by Marriott. On the day Marriott
announced the breach, its stock dropped 2%. In the ten trading days after the announcement, its stock
dropped 16%. In the thirty days after the announcement, it dipped 25%. It was 89 days from the date
the breach was announced and Marriott’s lowest close for the year, with a stock price drop of 46%.
During the M&A process, external consultants are often involved, depending on the deal's specifics.
These consultants typically include investment banks, buying and selling agents, lawyers, auditors, etc.
However, it is increasingly common to include CTI vendors as well. These vendors assess the security
status of the company being considered for the deal and determine if there has been any breach or theft
of valuable items by a known or unknown third party. This information is crucial as it can significantly
impact the sale.
It is about more than just evaluating the M&A company. Threat actors more frequently target M&A
organizations than typical businesses. Higher-end threat actors use proven and profitable business
models such as industrial espionage and stock market manipulation, making breaching an M&A company
very profitable. Therefore, M&A entities can benefit from CTI monitoring, such as what Resecurity offers,
to safeguard themselves and the other entities involved in M&A activities. Additionally, it is essential to
protect the confidential information the seller provides, as any leak could result in a seller's SEC rule 7
disclosure.
CTI for M&A
It is common for M&A companies to do CTI analysis during the M&A process. Most M&A companies
outsource various aspects of determining the company’s cybersecurity posture to other companies,
including a perimeter scan of the company’s network, scans of low-end cybercrime forums (TOR), and a
review of the company’s source code. However, external threat intelligence can enhance this vetting by
Cyber Defense eMagazine – March 2024 Edition 84
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
