M&A
federated, high impact, advanced business case, legal
Tags:
Type
3rd-Party
Key Roles
Risk Manager, Technical Investigator, Deal Lead, M&A Advisor
Key Feature Aspects:
fair, easy, fast, rigorous, affordable, accurate
About this Use Case
LIVING DOCUMENT
Progress Updated Periodically
The Mergers & Acquisitions diligence practice is overdue for a modern approach. Both the buy-side and sell-side benefit from highly accurate assessments. With so many other non-cyber factors to consider during M&A, the fact that cyber risk can be scientifically quantified using services like BreachRisk can allow teams to efficiently evaluate cyber risk and focus on more subjective elements of the process.
Success Summary
Why BreachRisk™ is a good fit
Standardization and participation are key aspects here. Our sponsoring organizations know our process and trust our results, and standardization compliments process. Targets quickly recognize that our assessments are not only rigorous, but extremely fair.
Barriers or misconceptions
M&A is a textbook negotiation process. At each gate, more trust is gained from each side. We've quickly been able to overcome hesitancy of the Seller to run our services.
Key outcomes
Faster deals + safer deals
Seller can justify a higher valuation (or Buyer can spot looming security expenses). Buyer has a better understanding of what they are buying - especially if they need to prepare for large IT/security overhaul during the integration phase post-acquisition. Seller and Buyer are more resilient to wire transfer attacks. Buyer is more protected during post-close IT migration.
Discussion
BreachRisk fully emulates real attacker activities with actual measurements and testing. Attackers conduct a wide variety of activities when planning and conducting attacks.
When applied to M&A use cases, BreachRisk services apply capabilities during one or more of the following 3 phases: pre-diligence, active diligence, and post-acquisition system integration.
Pre-diligence is defined as a "passive phase" prior to focused due diligence, similar to an initial survey, and does not require participation of the target entity.
Active diligence begins when the target beings due diligence in earnest, and participates to ensure full coverage of the analysis.
Post-close monitoring is typically a very high-risk time for both buy-side and sell-side because of large IT and security configuration changes typically accompany the merging of two organizations, and because attackers actively seek to attack buy-side and sell-side targets that they presume have large amounts of liquid capital on hand for both purchase and for other various purposes.
4 Questions that impact deal speed + deal safety
Q: How can BreachBits help my deal speed?
A: More and more questions are being asked about cybersecurity. We make accurate cyber risk assessment and due diligence easy and fast using automation and AI. Instead of security questions bogging down progress, BreachBits allows Seller to be more prepared, and Buyer be more assured of the state of security.
Q: How can BreachBits help with valuation?
A: While we don't think a security assessment will affect valuation by more than 10%, consider a case where BreachBits discovers that Seller needs $350,000 in security upgrades to avoid imminent danger. Seller might want to know that ASAP, and Buyer would need to consider that as a part of the deal.
Q: How can BreachBits help during IT migration?
A: Hacker's love to attack when computer systems are changing. Post-close, many organizations undergo a lengthy IT migration. Our continuous services attempt to find new ways to attack every week, so that Buyer can detect these issues before attackers can strike.
Q: How can BreachBits help prevent wire transfer attacks?
A: We attempt attacks like phishing, which are a major method attackers use to conduct wire transfer fraud. We can help Buyer and Seller prepare for attacks that will come once hacker's find out about the deal post-announcement.
Let's get technical.
Our job at BreachBits is to "do what attackers do" and quantify the risk of a breach. We generally perform the following continuous activities during analysis. Analysis based on these activities is designed to be independently defensible but also to corroborate surveys or analysis from sources other than BreachBits:
Attack Surface Discovery. "Where does this entity exist in cyberspace?" Our analysis attempts to find the entity in cyberspace the same way an attacker would. This can discover and confirm where the entity is present to aid other diligence activities.
Attack Surface Monitoring. "When the attack surface changes, how is it changing?" Modern IT infrastructures are constantly changing, both as a result of deliberate changes from the target, but also from a vast infrastructure provided by third-parties that evolve independent of the target's control, i.e. cloud services. Continuous monitoring of these changes is necessary to properly characterize risk.
Attack Planning. "What and where will attackers plan to attack?" Cyber attackers are very methodical. When you can understand how they would plan to launch attacks, it provides incredible value when characterizing risk of a breach. This can help sell-side adjust defensive strategy prior to close, and informs buy-side for cyber and technology migration risks they may inherit.
Dark Web Exposures. "Can attackers find information on the dark web that could be used to cause a breach?"Attackers attempt to obtain information from nefarious sources to make attacks easier. This could include stolen passwords, stolen records, and more. This activity enhances our other testing activities and provides general observations that help tell the story of the target's ability to protect sensitive data.
Perimeter Testing. "Can observable perimeter risks actually be breached?"To fully eliminate false positives that typically accompany cyber risk analysis, it is necessary to actually attempt attacks in the same ways attackers would. False positives significantly threaten the confidence of analysis for both buy-side and sell-side, and therefore must be eliminated. This activity greatly enhances the fidelity of our findings and can save considerable time during diligence by proving or disproving theoretical threats altogether, e.g. the time typically consumed by correspondence and issue tracking between buy-side and sell-side agents. Testing activities require the consent of the target and can therefore only be performed during active diligence and post-acquisition monitoring.
Cloud Testing. "Can observable cloud risks actually be breached?"This activity is similar to perimeter testing, but performed against cloud infrastructure of the target. Testing activities require the consent of the target and can therefore only be performed during active diligence and post-acquisition monitoring.
Spearphishing. "Can attackers exploit users of the target via email?"The vast majority of high-impact breaches begin when attackers can trick employees of the target via malicious email attacks. It is especially important to measure the target's susceptibility to these types of attacks. We actively attempt to defeat policy, technical, and training controls of the target organization. This also helps tell the story of the target's ability to emplace technical security controls and effective policy and behavior training for employees. Testing activities require the consent of the target and can therefore only be performed during active diligence and post-acquisition monitoring.
Risk Quantification. "On a 10-piont scale, what's the risk of a breach?"Fair characterization of risk observations is as important as the analysis itself. Our quantification is derived from a carefully crafted calculus based on industry-supported standards and expert determinations. Each analysis during all phases includes a risk score that is standardized, allowing for both an absolute risk characterization but is also allows for comparison to other targets. This allows risk ranking among groups of targets and vendors.
Vendor/Supply Chain Analysis. "Can attackers breach the target's vendor ecosystem?"Many attacks start by compromising a lesser-defended third party and then exploiting trusted technology interfaces to reach the target. Our same activities aimed at the target directly can be used to analyze the target's vendor pool. This activity requires tight cooperation from the target and can even include participation by the target's vendors.