Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/8/2019
10:30 AM
Matt Rose
Matt Rose
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Matters When It Comes to Mergers & Acquisitions

The recently disclosed Marriott breach exposed a frequently ignored issue in the M&A process.

Software security issues aren't going away anytime soon, as proven by the recently disclosed colossal breach at Marriott. Sure, we could rehash the typical post-mortem responses such as securing the software development life cycle, shifting left, DevSecOps, or other industry buzzwords associated with today's security concerns. But in regard to Marriott's recent breach, which affected over 500 million customers, it's critical to look at a different aspect of security: the software exposure before and after mergers and acquisitions (M&A).

M&As are a common business practice and have created some of the largest, most successful companies in the world. While the M&A process is typically thought of as a boardroom issue, we must consider more than the financial activity that looks to increase revenues and customer base. Unfortunately, vetting the associated security risks is often neglected throughout the process. This shows the need for transparency and increased security awareness between IT/security professionals and the C-suite.

M&A's Security Risk
A report by West Monroe surveyed 100 senior global executives in early 2017 and found that cybersecurity continues to be a major issue in relation to M&A, both in due diligence and after the deal closes. Fifty-two percent reported discovering a cybersecurity problem after closing the deal. It was also found that security was the No. 2 reason M&A deals were abandoned, and the second most common reason buyers regretted closing a deal. When evaluating the entire M&A process, respondents shared that the top three reasons deals often fail are security concerns (23%), financial and tax issues (23%), and problems with compliance (18%). While these are relatively low, the most anxiety appears to come after the deal is done. The study found that two in five respondents said problems during post-merger integration (41%) was their main worry when thinking about issues related to security.

Based on Personal Experience
From my own experience in M&A, before I was at Checkmarx, I was responsible for vetting companies being acquired by other clients. In one case, as part of the recommended analysis, we thoroughly scanned a company's software and found that it was full of vulnerabilities. To our dismay, we discovered a backdoor into the entire system. As a result, the entire process came to a halt and the deal fell apart. The security risk was too great. In a surprising turn of events, the acquiree attempted to take legal action against the security company I was with, claiming that we blocked the M&A process. In my opinion, while we may have missed out on financial gains from the acquisition, we saved our client from a potentially costlier security compromise similar to Marriott's.

Applying What We've Learned to Marriott
This same concept can be applied to Marriot's recent breach. In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide, creating the world's largest hotel company. We can assume that for such a large business deal, there was a very long investigation into the financials, operating practices, market penetration, and other variables necessary to finalize such a large acquisition. But was security considered? Starwood reported an unrelated malware attack on their point-of-sale systems just two weeks after the original deal was signed. Had Marriott investigated and vetted Starwood's software security prior to the acquisition, this particular vulnerability might have been found and resolved — or at the very least, triggered a major red flag around the security of Starwood's software. Had this been elevated to executives facilitating the M&A, the risk could have been properly evaluated, ultimately delaying or canceling the deal.

Fast forward to 2018, and the recently reported breach was in Starwood's system, not Marriott's. Unfortunately, as the parent company, Marriott is still responsible in terms of damage control. Marriott could have the best security program in the world, but because it owns Starwood, there will be significant financial and reputation damage to the entire brand. Was Marriott so focused on the financial and business aspects of the acquisition of Starwood that it was willing to accept the risk? Did Starwood know about this issue but did nothing because it knew it was going to be acquired and didn't want to spend the money to fix the problem? Or did neither Marriott nor Starwood know about the issue? No matter what the truth is, the biggest losers here are the customers who have had their personally identifiable information (PII) compromised.

The Future of Security and M&A
The major takeaway is that organizations must have a vetting process for the security of the companies with whom they are acquiring or merging. This process is just as important as due diligence around financials or expanded brand presence. At a minimum, during the M&A process, companies should bring in a security team — whether it be a CISO, director of security, or other — to build out a repeatable security program, evaluate network security policies, and consider important factors such as the effectiveness of firewalls, endpoint protection, and other security tools. The acquirers should ask themselves, what are the homegrown, internally developed products, and how can those cause risk? Unfortunately, today, most acquirers simply turn their heads away from the problem because the profit margins seem greater than the risk.

The acquiring company now must do damage control on all fronts, even if it was something it didn't do. The Marriott breach may have been avoided if proper security policies and or practices around vetting potential risk were in place. Today, any company that processes PII data — regardless of the industry it is in — should consider itself a technology company, and, therefore, security should be at the forefront of boardroom discussions, not just during M&A but throughout the course of business. 

Related Content:

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx's top-notch vulnerability ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Milos Rex
50%
50%
Milos Rex,
User Rank: Apprentice
4/19/2019 | 3:18:04 PM
Compliments!
Interestingly enough, there is not much content about security matters related to mergers and acquisitions online, and yet it is one of the most important things to pay attention to. The only other place where I found articles that cover key questions related to M&A is dealroom.net Thank you very much for this article!
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.