Let’s Create a New Standard for Cyber Due Diligence
M&A Cybersecurity Concerns
Recently, I was in a meeting with a friend who’s a top Corporate Attorney here in town. He was lamenting a recent sizable Mergers and Acquisitions (M&A) deal that left a bad taste with the buyer. Following the transaction’s closing, the buyer uncovered a host of significant IT security concerns, one of which turned out to be remnants of a prior intrusion. So, the buyer’s legal counsel went back to the Purchase Agreement to see what warranties were made by the seller and whether any remedies were available. It turns out the seller had no “actual knowledge” of a problem because they never looked. The buyer never looked either because the seller wouldn’t cooperate. That meant a dispute and likely litigation. There’s got to be a better way.
Way back when…
In a prior life, I was a commercial real estate lender. I know, I’m mostly recovered now, thank you. Back in the day, the environmental clean-up movement was in high gear. The impacts of liability arising from CERCLA (think “Superfund”) were reverberating down the halls of all real estate developers and lenders. If you entered the title chain of a contaminated property, you were potentially liable for a massively expensive clean-up of something you didn’t even do. What came to bear was a new method for conducting due diligence—an Environmental Site Assessment or ESA. A Phase I ESA conducted by an environmental professional (engineer) consisted of a site study and review of current and historical records, adjacent land uses, public agency records, aerial photographs, and interviews with knowledgeable people. If something of concern like suspected soil contamination was noted, a Phase II study would be required. A Phase II study consisted of more intensive study, testing, and analysis to get to the details of the suspected hazard. A Phase III ESA, if needed, would get to the remediation plans, alternate methods for containment, logistics, how the cleanup was done, and outlined the process for follow-up monitoring. That progression of environmental due diligence has been successfully used since the 1980s. Today every transaction has at least a Phase I ESA as part of the process.
A new way forward…
We can use this example as an analogue for a new and improved cyber due diligence process. Let’s even borrow their “ESA” acronym for our Enterprise Security Assessment.
So, in this context, a Phase I ESA might encompass a comparison with a recognized regulatory or industry-accepted security framework (such as NIST or CIS-CSC). The purpose is to find gaps, prove levels of maturity, and supply an industry benchmark comparison of the target organization. An independent security professional or security engineer would perform the Phase I ESA. Phase I might also look at the Dark Web for compromised credentials or stolen data, examine select logs, look for signs of existing vulnerabilities, analyze the external attack surface, and scan threat intelligence sources.
If something of concern appears, a major gap is exposed, or a significant variance from similarly situated organizations is identified, you can move on to a Phase II study with independent data collection, analysis and testing, controls validation, and an expert threat hunt to look for malicious activity as well. If the suspected problem is verified, you can move into a Phase III ESA to remediate the threat and/or close the gap. Follow with monitoring to ensure the situation is adequately resolved and confirm that no advanced persistent threats remain.
The cooperation between the parties is enhanced by a predictable independent process conducted under the supervision of Counsel. It’s not a fishing expedition but a defined, repeatable process. This flexible, extensible due diligence process for cyber makes much more sense than the current ad hoc model and will result in less regret across the board.
Less regret equals happier clients.