Hacker with computers in dark room

How to keep cybercriminals out of your divestiture


Corporate deals are where the money is, for cybercriminals. But companies can protect themselves and the deal.


In brief

  • Divestiture deals have become a magnet for cyber attackers who take advantage of disrupted routines and distracted employees to launch attacks.
  • Risks affect both the divesting organization and the entity being sold or spun off and are present in all phases of the deal cycle.
  • Cyber-savvy leaders who implement a defensive strategy throughout the deal can greatly limit the organization’s risk exposure.

Most executives with a divestiture on their minds probably don’t automatically associate deals with breaches and ransomware attacks. But cybercriminals do.

While deal teams are thinking about preparing and executing the deal, bad actors are watching the headlines for opportunities to launch attacks while the stakes are high and executives’ backs are turned. Monetarily, the company is an attractive target because the impending deal has greatly increased the cost of the possible release of nonpublic information.

Ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections

The FBI has taken note of a recent explosion in ransomware attacks, issuing a warning in November 2021 that attackers are using “significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections.”¹ Likewise, the EY-Parthenon dedicated transaction cybersecurity team has witnessed increasing cyber attacks on companies doing deals, including cases that were very costly for the victims.

 

The potential damage is similar to the risks normally associated with cyber attacks — loss of protected information and data, exposure of trade secrets, legal judgments, fines and impact on customers. Financial losses can pale compared to reputational damage. And now, the stakes are far higher because there’s also a deal at risk.

 

For example, a $650 million acquisition by an airline of an aerospace component supplier fell apart in 2019 partly due to a ransomware attack that forced temporary factory closures at the target company. The supplier was acquired by a different company two years later.²

 

Fortunately, organizations can substantially reduce their exposure by guarding cybersecurity throughout the planning and execution of the transaction. Below, we explain two types of risks — transaction and counterparty risk — as well as the different phases of the transaction where these risks are likely to occur.

 

Transaction risk and counterparty risk

 

A pending deal creates vulnerabilities for hackers to exploit.

Transaction risk results from a change in management and employee behavior in the parent organization following the announcement of a deal. Management becomes focused on completing the transaction and separation, and employees with transition tasks or uncertainty on their minds are more likely to let their guard down and fall victim to a phishing attack or other ruse. The EY-Parthenon team has conducted transaction-related phishing campaigns with clients that show employees are 50% more likely to click on a phony email after a company has announced that a deal is underway. Some employees may also become insider threats as they consider taking proprietary information to their next employer or may even commit destructive acts in “protest.”

Counterparty risk arises after the sale and transition processes are underway with the buyer. It is the result of inadequate deal planning, when a party in the deal is not prepared to implement cybersecurity, governance, compliance and strategy as agreed to meet day one requirements. This can mean they are not ready to exit the transaction services agreement on time, resulting in insufficient controls, additional costs and delays, or even jeopardizing completion of the deal. If the buyer team is not experienced with cybersecurity, the process can also expose the seller to additional risk while the entities are still connected to shared technology assets.

Risks in all phases of the deal

Deal-related cyber risks, which exist for both the divesting company and the entity being sold, can be segmented by major phases in the deal cycle.

  • Diligence phase: in the diligence phase, the deal itself is at transactional risk due to the possible exposure of data, privacy security weaknesses and resulting reputational damage. The seller can make sure they have controls in place to protect against potential breaches, ransomware attacks, insider threats, and other security and data privacy concerns.
  • Sign-to-close phase: in the sign-to-close phase, risks arise if CISOs and the cybersecurity team are not engaged early enough to understand the transaction and develop appropriate plans and countermeasures. This is still largely related to transactional risk; however, counterparty risk may also begin to appear if the buyer is not prepared to implement cybersecurity measures due to insufficient experience or lack of staff.
  • Day one and beyond: from day one and beyond, counterparty risk is present as the new entity may find that project charters, budgets, governance or the deal PMO itself is not adequate to support the separation. A continuing need for network access to the seller — such as to migrate applications or data — may introduce new contractors and personnel to support the transaction, with an accompanying layer of third-party risk. If the seller underprices security services in the transition services agreement (TSA), this could lead to the buyer staying on the TSA too long, increasing the risk of breach. Sellers can guard against overcommitting or allowing unwarranted TSA extensions through ambiguity, for example, by explicitly naming services that are not included. A separate concern is the continuing risk of data loss due to a lack of clear data ownership or governance policies. These risks may affect the seller as well as the buyer, for example, if management does not understand that certain data is personal protected information and inadvertently allows it to leave the company.

Developing a proactive defense

Fortunately, a few key defensive measures can go a long way to making an attack less likely or to limiting the damage if an attack does occur. Companies can view the entire deal process through a cybersecurity lens, with early and continuing attention on preventative steps:

  • Cybersecurity operating model: companies may want to implement a cyber operating model that spans the deal cycle, identifying processes, controls and third parties as part of a strategic cybersecurity approach. It is important to have a third-party risk management process that covers sourcing, legal, risk and cybersecurity. Separation of third-party obligations is a significant undertaking and can be started as soon as possible. This process can begin in the diligence phase, with the seller analyzing the asset to be sold to understand potential risks during the sale.
  • Separation plan: a separation plan, as part of the TSA and day one readiness planning, is an important step in enacting security controls, architecture and contractual requirements to operate in a “semi-trusted” environment. Entangled systems may require continuing user and network access, causing ineffective separation on day one. Teams can work closely with business operations and HR to properly define roles and appropriate access permissions. As licenses may be affected by the transaction, teams can assess the security tools transferring with the assets to understand impacts to licensing contract requirements.
  • People and talent: companies may also engage with key talent early in the process to retain important skills, including cybersecurity expertise. It is essential to have strong change management and communications programs in place for the transition, including cybersecurity awareness training. Targeted phishing simulations help raise user awareness of threats. Cross-functional training and coordination exercises can be effective tools for promoting cybersecurity readiness. EY-Parthenon recommends a cross-functional workshop to help functional leaders understand vulnerabilities, dependencies and timelines that are part of the legal separation. Another useful tactic is a pre-day-one, multi-entity, incident response tabletop exercise that can clarify roles, protocols and escalation procedures across the organization to increase cyber readiness.
  • Data: to reduce security risks and the potential loss of data during a divestiture, organizations can establish a data governance model, framework and security review requirements. Leaders may need to have a clear view of data classification, governance and regulatory requirements in order to comply with data privacy regulations and also allow for continued, appropriate employee access.

Summary

For many companies pursuing a deal, the biggest step in defending against a cyber attack is to first recognize that the deal itself brings a greater likelihood of an attack. Companies that take sensible steps to embed a cybersecurity strategy throughout the deal cycle will be better positioned to avoid a problem and complete their deal successfully.



About this article

Authors


How EY-Parthenon can help

Cybersecurity due diligence in M&A and divestitures

Learn how EY teams can help you identify vulnerabilities, quantify cyber risks as they relate to the deal and manage mitigation or remediation of cybersecurity in M&A.

    Related Strategy and Divestitures articles

    The CIO Imperative: Is your technology moving fast enough to realize your ambitions?

    Data centricity can be an insight engine that unlocks operational, customer and market data value, according to EY’s 2022 Tech Horizon survey. Read more

    How can your digital investment strategy reach higher returns?

    The 2022 Digital Investment Index reveals that companies struggle with digital strategy and measuring returns on their technology investments. Read more.