Is this a new trend? Cyber attacks after Merger and Acquisition, Divestures

In light of Morgan Stanley's prediction of a 50% increase in deal volumes for 2024, understanding the multifaceted cyber risks associated with mergers and acquisitions is crucial. Organizations preparing for an M&A or a divesture should consider the uneven cyber risk burden that tends to fall on the acquiring organization. These risks, as exemplified in recent breaches like those of Dropbox Sign (HelloSign before the acquisition) and United Change (originally Change Healthcare) and some others listed below, not only present technological challenges and cyber risks but also pose legal, reputational and data privacy risks associated with high costs of remediation. Notably, these risks such as technology disruption, dormant threats, IT resiliency, data security, lack of Information, organizational disruption, disproportionately affect the acquiring organization. The integration processes often expose these entities to increased vulnerabilities, compliance challenges, and potential breaches of sensitive information.

In my opinion there is a noticeable trend where recently acquired companies become targets for cyberattacks, often attributed to the vulnerabilities introduced during the integration process.

Here is a detailed list of some notable cybersecurity incidents following mergers and acquisitions:

1. Yahoo and Verizon - Before Verizon completed its acquisition of Yahoo in 2017, Yahoo disclosed two massive data breaches from 2013 and 2014, impacting 1 billion and 500 million user accounts respectively. This led to a $350 million reduction in the purchase price. This incident highlighted the importance of thorough cybersecurity due diligence in M&A processes.

2. Starwood and Marriott - After acquiring Starwood in 2016, Marriott discovered in 2018 that a breach had persisted in Starwood’s reservation system since 2014, affecting up to 500 million guests. Marriott faced significant fines and reputational damage due to this inherited breach.

3. SolarWinds – Compromised credentials of a software developer (it appears that MFA was not implemented or not fully rolled out). Following acquisitions of smaller companies, SolarWinds suffered a major cybersecurity breach in 2020 through its Orion software, affecting numerous government agencies and private companies. The breach demonstrated risks associated with integrating products and services from acquired companies without adequate security review.

5. T-Mobile and Sprint - Following the merger with Sprint in 2020, T-Mobile suffered a data breach affecting over 54 million individuals due to potential security lapses during network integration. The breach highlighted challenges in securing customer data during extensive network integrations.

6. Accellion and Kiteworks - After acquiring Kiteworks, vulnerabilities in Accellion’s File Transfer Appliance were exploited, leading to significant breaches at various institutions. This underscored the importance of timely decommissioning outdated systems post-acquisition.

7. Facebook and WhatsApp - After Facebook acquired WhatsApp, ongoing concerns regarding the integration of user data and security surfaced, compounded by vulnerabilities found in WhatsApp over the years. These vulnerabilities raised questions about the effectiveness of Facebook’s data-sharing practices in protecting WhatsApp’s previously established security standards.

8. MOVEit was also acquired before it suffered a major security incident (SQL injection and arbitrary code execution security incident). In May 2019, Progress Software announced the acquisition of Ipswitch, the company behind MOVEit, a secure file transfer software. This acquisition aimed to strengthen Progress Software's portfolio in the secure file management and automation sectors.

9.  United Change – Ransomware through compromised credential of a software developer (it appears that MFA was not implemented or not fully rolled out), was acquired by UnitedHealth Group, experienced a serious system outage due to a cyberattack. The incident involved a suspected nation-state associated threat actor gaining access to some of the Change Healthcare IT systems. The attack has had significant implications for healthcare operations across the United States, disrupting health care and billing information operations besides the astronomical cost. The ransomware breach at United Change (formerly Change Healthcare) resulted in significant financial impacts. UnitedHealth Group, the parent company, reported an $872 million impact on its Q1 earnings in 2024 due to the ransomware attack. This figure includes $593 million in direct-response costs and $279 million in losses attributed to business disruptions. Moreover, UnitedHealth made a payment of $22 million to the ransomware group responsible for the attack.

10. Dropbox Sign, previously HelloSign, was breached through threat actor who gained access to a Dropbox Sign automated system configuration tool. The attacker compromised a service account that was part of Sign’s back end, which had elevated privileges within the production environment. Also here, although at this time it is a speculation, that MFA was not implemented at all or correctly.

Mergers and acquisitions can create unique cybersecurity challenges. These challenges can make recently merged or acquired companies appealing targets for cybercriminals who are betting on finding weaknesses before they are addressed in the unified security framework of the newly formed enterprise. Hence, enhancing cybersecurity measures and performing comprehensive security assessments during and after M&A activities are crucial to mitigate these risks:

1. Integration Complexity: The process of merging IT systems can expose security gaps. Newly combined systems may not yet have fully harmonized security protocols, which can provide openings for attackers.

2. Due Diligence Oversights: During the M&A process, cybersecurity due diligence might not be as thorough or might overlook critical vulnerabilities, especially if the focus is more on financial or operational aspects.

3. Cultural Differences: Differences in security culture and practices between the merging entities can lead to inconsistencies in security enforcement and awareness.

4. Increased Attack Surface: The integration phase often involves extensive data transfers and system configurations, increasing the attack surface and the potential impact of a breach.

5. Legacy systems, accounts, and applications that cannot be immediately replaced or discontinued due to contractual or operational dependencies often remain in use. These elements can indeed become overlooked or under-prioritized during the security integration process, especially if the focus shifts to more immediate or visible aspects of the new enterprise's IT environment. When these legacy components aren't the primary focus of the Chief Information Security Officer (CISO) or the broader cybersecurity strategy, they can create significant vulnerabilities:

5.1 Security Patches and Updates: Legacy systems may not be regularly updated or patched, making them susceptible to known exploits that newer systems would normally defend against.

5.2 Compatibility Issues: Ensuring that old systems are compatible with new security measures can be challenging and resource-intensive, leading to gaps in protection.

5.3 Resource Allocation: There might be a tendency to allocate more resources towards integrating and securing newer technologies, while older systems receive less attention and funding.

5.4 Visibility and Monitoring: Legacy systems might not be fully integrated into the new entity's security monitoring tools, resulting in less visibility into potential threats or breaches affecting these systems.

6. Integrations involving login mechanisms, monitoring systems, and other Security Operations Center (SOC) tools are crucial components of a secure IT infrastructure, especially during and after mergers and acquisitions. Proper integration of these elements can pose significant challenges but is essential for maintaining robust security across the combined entity. Here’s how each can impact cybersecurity during M&A or after:

6.1 Identity, Access Management: Integrating authentication system is critical, as discrepancies between how merging entities handle access control can create vulnerabilities. Implementing unified login protocols, possibly through Single Sign-On (SSO) or centralized identity management systems, can help mitigate risks by ensuring consistent security policies and reducing the complexity that attackers could exploit. The discrepancies in login mechanisms and the underlying technology, such as Multi-Factor Authentication (MFA), during mergers and acquisitions can introduce several risks and challenges:

6.1.1. Inconsistent Security Policies: If merging entities have different security policies for user authentication, it can create confusion and lead to security gaps. For instance, one company might enforce MFA across all platforms, while the other might only use it selectively. This inconsistency can provide attackers with easier entry points into less secure systems.

6.1.2. Technological Incompatibility: Different MFA technologies (e.g., hardware tokens, SMS-based OTP, app-based OTP) might not integrate smoothly, complicating the process of unifying login systems. This can lead to operational inefficiencies and increased risk during the transition period until a unified solution is implemented.

6.1.3. User Experience and Compliance: Varying MFA methods can affect user experience, potentially leading to resistance from users accustomed to a different system. Poor user experience can also impact compliance with security protocols, as users might seek ways to bypass inconvenient security measures.

6.1.4. Management Complexity: Managing multiple authentication systems across merged entities increases complexity and administrative overhead. It requires additional training for IT staff and users and can complicate the enforcement of security policies.

6.1.5. Scaling Issues: The MFA system used by one entity might not be designed to scale to the size of the combined organization, potentially leading to performance issues or failures in critical security functionalities.

Best Practices for Mitigating Risks:

- Unified Security Framework: Develop a unified security framework that incorporates the best practices from each entity. Standardize MFA across all systems to ensure consistent security measures.

- Technology Evaluation and Selection: Assess the existing MFA technologies from each entity and select the one that best meets the combined needs in terms of security, scalability, and user experience. Consider adopting newer, more adaptable MFA solutions if necessary.

- User Training and Communication: Conduct comprehensive training sessions for all users about the new MFA procedures. Clear communication about the benefits and necessity of MFA can help improve user compliance and reduce resistance.

- Gradual Integration: Implement changes gradually to minimize disruption. Consider a phased approach where users transition to the new system in stages, allowing time for adjustment and troubleshooting.

- Continuous Monitoring and Feedback: After implementation, continuously monitor the effectiveness of the new authentication system and collect user feedback. This allows for timely adjustments and improvements, ensuring that the MFA system remains effective and user-friendly.

6.2 Monitoring Systems: Effective integration of monitoring tools is essential for maintaining visibility across all systems of the merged entities. This involves consolidating and standardizing security event monitoring tools like SIEM (Security Information and Event Management) systems. Ensuring these tools cover all legacy and new systems without gaps is crucial for detecting and responding to threats promptly. Effective monitoring during and after a merger or acquisition involves several key steps and challenges:

6.2.1. Asset Inventory: the organization needs a comprehensive inventory of all assets from both entities, including hardware, software, network devices, and any other critical IT resources. This inventory is crucial for understanding what needs to be monitored and ensuring no asset is left unprotected.

6.2.2. Installation of Monitoring Agents: It often requires installing additional monitoring agents on the newly acquired company’s assets. This can be a significant effort, particularly if the two companies use different monitoring tools or if the acquired company's assets weren't previously monitored to the same standard.

6.2.3. Cost Implications: Expanding monitoring capabilities to cover all new assets can involve significant costs, not only for the software licenses for additional monitoring agents but also for the hardware and bandwidth needed to support increased data traffic and storage for monitoring data. The cost of additional staff or automation tools to manage an expanded monitoring scope is a significant consideration in mergers and acquisitions. Here’s how these factors play into the overall integration and ongoing operations:

· Additional Staffing Costs: As the asset base and monitoring requirements grow, the workload for security operations can increase substantially. This often necessitates hiring additional security personnel to handle increased monitoring, incident response, and ongoing security management. The costs here include not only salaries but also recruitment, training, and potentially increased overhead for additional workspace and equipment.

· Automation Tools: To efficiently manage the increased scope of monitoring without proportionally increasing staff, many companies invest in automation tools. These tools can help manage the volume of data and alerts through automated processing, pattern recognition, and anomaly detection. The cost of these tools can vary widely based on the sophistication of the technology and the scale of deployment. However, they can provide significant long-term savings by enhancing productivity and enabling existing staff to focus on higher-level tasks.

· Integration of Automation: Integrating automation tools into existing systems can involve additional one-time costs such as licensing, setup, and customization to ensure they work well within the new combined IT environment. There may also be costs associated with training staff to use these new tools effectively.

· Maintenance and Updates: Both staffing and automation tools entail ongoing costs for maintenance, updates, and continuous improvement. For automation tools, this includes software updates, security patches, and possibly subscription fees if using cloud-based services.

· Scale and Efficiency: While initially costly, both additional staffing and automation can lead to greater efficiencies and more effective monitoring capabilities. Over time, the benefits of enhanced security posture can offset these costs, especially when considering the potential cost of security breaches.

6.2.4. Integration of Monitoring Tools: If each entity uses different monitoring systems, integrating them can be technically challenging. An organization may need to standardize on a single platform or ensure interoperability between systems, which can require additional configuration and customization work.

6.2.5. Data Overload: With an increased number of assets to monitor, there's a risk of data overload where the volume of monitoring data becomes unmanageable. This can dilute the effectiveness of security teams in spotting genuine threats among numerous alerts, known as "alert fatigue."

6.2.6. Scalability and Performance: The monitoring system must scale to handle the increased load from the additional assets without performance degradation. This might require upgrades to infrastructure or more efficient use of resources.

6.2.7. Compliance and Legal Issues: The merger might bring additional compliance requirements, especially if the companies operate in different regulatory environments or if the acquired assets include regulated data. Monitoring systems must be capable of supporting compliance in these contexts. Navigating the challenges of monitoring across jurisdictions with varying legal requirements is a complex but crucial aspect of cybersecurity, especially after mergers and acquisitions. When organizations merge, they often have to manage assets across different regions, each potentially with its own set of laws and regulations concerning privacy and data security. Here are some of the key considerations and strategies for handling these challenges:

Key Considerations

-Data Privacy Laws: Laws such as the General Data Protection Regulation (GDPR) in Europe, the California Consumer Privacy Act (CCPA), and other regional data protection statutes can restrict how monitoring can be conducted. These laws often regulate what kind of data can be collected, how it must be handled, and the extent to which monitoring is permissible.

-Employee Privacy Rights: Some jurisdictions have strong protections for employee privacy that limit the ability of an employer to monitor activities, especially without explicit consent. This can affect the monitoring of internal systems and communications.

-Cross-Border Data Flows: When monitoring involves the transfer of data across borders, additional legal complexities can arise. Countries may have restrictions on the international transfer of personal data, requiring specific safeguards or agreements like Standard Contractual Clauses (SCCs) or adherence to frameworks like the EU-US Privacy Shield.

-Sector-Specific Regulations: Certain sectors, like finance and healthcare, may have additional regulatory requirements that affect monitoring, including specific rules about how data must be protected and who can access it.

Strategies for Compliance

-Localized Compliance Frameworks: Develop and implement localized frameworks for compliance that respect the specific legal requirements of each jurisdiction while maintaining effective security monitoring. This may involve tailoring monitoring practices to meet local regulations.

-Data Minimization and Anonymization: Where possible, minimize the amount of data collected and use anonymization or pseudonymization to reduce privacy risks. This approach can help

6.2.8. Cultural and Operational Alignment: There needs to be an alignment in how monitoring is approached culturally and operationally between the two entities. This involves standardizing procedures for responding to alerts and managing incidents across the combined organization.

Strategies to Address These Challenges:

- Unified Monitoring Strategy: Develop a strategy that defines what needs to be monitored, how monitoring will be conducted, and how alerts will be managed. This should align with the overall security strategy of the merged entity.

- Technology Assessment and Consolidation: Evaluate the existing technologies and decide whether to consolidate them into a single system or find ways to ensure they can work effectively in tandem.

- Infrastructure Investment: Plan for necessary investments in infrastructure to support effective monitoring at the scale required by the merged entity.

- Training and Processes: Update training for all relevant staff to ensure they understand the new tools and processes. Standardize incident response and alert management processes across the organization.

- Continuous Review and Adjustment: Regularly review the effectiveness of the monitoring setup and make adjustments as needed. This includes scaling up as the organization grows and evolves post-merger.

6.3 SOC Tools: Integrating SOC tools involves unifying threat detection, incident response, and security operations technologies. A comprehensive SOC should provide an integrated overview of the security posture of the entire organization. This means ensuring that all parts of the IT environment are monitored, and that there is a cohesive strategy for managing security incidents.

Challenges and Best Practices for SOC tools:

-Data Overload: Integrating multiple systems can lead to an overwhelming amount of security data, which may reduce the effectiveness of threat detection unless properly managed with advanced analytics or AI-based tools.

-Tool Compatibility: Tools from different environments may not naturally integrate well, requiring additional middleware or customized solutions to ensure seamless operation.

-Staff Training and Processes: Ensuring that the staff is adequately trained to handle the integrated tools and that all security processes are updated to reflect the new technology landscape is essential for effective security operations.

-Continuous Evaluation: Regularly evaluating the effectiveness of the integrated SOC tools and processes is crucial. This helps in identifying any gaps in coverage and allows for timely adjustments to the security setup.

Threat Detection/Monitoring -Establishing a consistent baseline for threat detection across different parts of a merged organization can be challenging. During mergers and acquisitions, the blending of distinct corporate cultures, IT environments, and security protocols means that what is considered normal in one part of the organization might be flagged as anomalous in another. Here are some specific challenges and strategies for addressing them:

Challenges

-Diverse IT Environments: Different technological foundations can lead to discrepancies in how data is managed and monitored. Each entity may have used different standards for network traffic, access patterns, and user behavior, complicating the creation of a unified security model.

-Varying Security Maturity Levels: If one company has a more developed cybersecurity strategy than the other, their thresholds for detecting threats may be higher, and their tools may be more sophisticated. This disparity can lead to gaps in threat detection capabilities across the merged entity.

-Integration of Security Systems: Integrating disparate security systems and tools (such as SIEM systems, intrusion detection systems, and behavior analytics tools) can be technically complex and may result in initial inefficiencies or blind spots in monitoring.

-Cultural Differences in Security Practices: Employees from different companies may have different understandings and practices regarding security, affecting how they respond to security protocols and monitoring.

Strategies for Effective Threat Detection

-Unified Security Baseline: Develop a comprehensive security baseline that accounts for the combined entity's overall operations. This includes defining what normal behavior looks like across the entire organization and what constitutes a potential threat.

-Harmonization of Security Tools: Standardize the use of security tools and platforms as much as possible. If full standardization isn't feasible, ensure that different systems can communicate and share data effectively, possibly through a centralized management platform.

-Advanced Analytics and Machine Learning: Utilize advanced analytics and machine learning to understand and predict normal behavior patterns across the merged entity. These technologies can help in dynamically adjusting to new "normals" as the integration progresses.

-Cross-Training and Cultural Integration: Facilitate cross-training sessions for security teams from both companies to align their understanding and approaches to security. Promote a unified culture of security that encompasses the best practices from both entities.

-Continuous Monitoring and Adjustment: Monitor the effectiveness of the integrated threat detection system continuously. Be prepared to adjust parameters and definitions of normal behavior as the organization evolves and as new threats emerge.

-Incident Response Planning: Update and unify the incident response plans to handle anomalies and threats consistently across the entire organization. Ensure that all teams are familiar with the procedures and know how to act swiftly and efficiently.

By addressing the above discussed challenges with thoughtful strategies, effective operations and continuous monitoring, improvement and enhancements organizations can secure their expanded operations against potential cybersecurity risks.

FAZIT

My prioritized list of actions a CISO should consider immediately after a merger or acquisition:

1. Conduct a Comprehensive Security Assessment

·  Objective: Identify vulnerabilities and understand the combined threat landscape.

·  Actions: Perform audits, vulnerability assessments, and penetration testing across all systems.

2. Implement Multi-Factor Authentication (MFA)

·  Objective: Enhance access security by adding additional verification steps.

·  Actions: Implement MFA across critical systems, especially for administrative accounts and remote access.

3. Inventory and Audit of Existing Secrets

·  Objective: Ensure all sensitive secrets such as credentials and API keys are accounted for.

·  Actions: Catalog all secrets, identifying which systems and services they access.

4. Establish a Unified Security Strategy

·  Objective: Create a cohesive strategy that integrates the security policies of both entities.

·   Actions: Develop a unified set of security policies and procedures.

 5. Implement a Centralized Secrets Management Solution

·   Objective: Manage and protect secrets efficiently and securely.

·   Actions: Deploy a secrets management tool with encryption, access controls, and auditing capabilities.

6. Standardize and Consolidate Security Tools

·  Objective: Remove redundancies and close gaps in security monitoring and management.

·  Actions: Rationalize and standardize security tools and systems.

7. Establish Strict Access Controls and Automate Secret Rotation

·  Objective: Minimize unauthorized access and reduce risks associated with static credentials.

·  Actions: Control access based on the least privilege principle and automate the rotation of secrets.

8. Integrate and Streamline Monitoring Systems

·  Objective: Ensure consistent and comprehensive monitoring across the organization.

· Actions: Consolidate monitoring tools and implement centralized logging and SIEM systems.

9. Update and Enforce Access Controls

· Objective: Secure sensitive data and critical infrastructure by ensuring only authorized access.

·  Actions: Review and update access permissions regularly.

10. Train Employees on Security Practices and Handling of Secrets

· Objective: Raise awareness and educate staff on security protocols and the importance of protecting sensitive information.

· Actions: Develop training programs focused on security awareness, phishing prevention, and the secure management of secrets.

11. Develop and Enforce Policies for Handling Secrets

·  Objective: Establish clear guidelines for managing and protecting secrets.

· Actions: Create and enforce policies regarding the handling, sharing, storage, and destruction of secrets.

12. Secure Development Practices

·  Objective: Prevent the accidental exposure of secrets in development environments

· Actions: Integrate secrets management tools that inject secrets at runtime and avoid hardcoding in source code.

13. Integrate and Test Incident Response Plans

·  Objective: Ensure readiness to respond to incidents effectively.

·  Actions: Merge IR plans, conduct tabletop exercises, and perform simulation tests.

14. Address Legal and Compliance Issues

·  Objective: Align with regulatory requirements and avoid legal penalties.

·   Actions: Assess compliance obligations and unify compliance frameworks.

15. Plan for Continuous Improvement

·  Objective: Adapt and evolve security measures to meet emerging threats and changes.

·  Actions: Implement a process for ongoing security assessments and strategy updates.

16. Foster Communication and Collaboration

·  Objective: Maintain alignment and cooperative efforts across security functions.

·  Actions: Establish regular communication channels and collaborative meetings to discuss security issues