Catch Them if You Can… Cyber Diligence in Private Equity

Cybercrime may feel new, but human nature is timeless. Alarmingly, the FBI has reported a 300% increase in cybercrime since the outbreak of COVID-19[1]. Fraud, theft, deception, infiltration, ransom... despite innovation, at its core, cyber is a people problem, not just a technology problem. To understand cybersecurity, you must think like a criminal. In the film “Catch Me if You Can” the main character, Frank Abagnale, seems to share the same opinion. Whether Frank actually committed all the fraudulent schemes he claimed remains open to debate. But one maxim pointed out by Abagnale remains true regarding brazen exploits: “every breach occurs because somebody in that company did something that they weren’t supposed to do, or somebody in that company failed to do something they were supposed to do.”[2] Indeed, with respect to cyber incidents, four out of five breaches occur via an employee. One of the most common tactics includes social engineering which exploits human vulnerabilities.

Traditionally, during the due diligence process, private equity (PE) professionals focused primarily on the growth potential of the target. This emphasis is obvious. But there is a new variable that needs to be considered in valuation: the impact of an undisclosed cyber breach. The deal team is constrained by three interrelated limitations when it comes to assessing cyber risk for a target:  a lack of time, information asymmetry, and skill set. And on top of that, according to IBM’s "Cost of a Data Breach Report", the 2020 average cost of a data breach in the United States is approximately $8.64 million.[3] The following cases regarding the Marriott and Yahoo transactions will highlight that Private Equity firms will increasingly need to integrate targeted cybersecurity assessments which may discover flaws or issues, not exploited but present. Thus, avoiding  “buying the breach” resulting in net value destruction for the acquirer. Both the PE and cybersecurity space move at an incredibly rapid pace, increasing the pressure on deal teams in the near future... 

In 2016, hospitality giant Marriott acquired Starwood Hotels, a high-profile merger that symbolized rapid growth in the travel industry. Two years later, disaster struck: it was discovered that over 500 million sensitive customer records had been stolen from the Starwood Hotels’ legacy database during the past four years, a time encompassing both the pre-merger and post-merger period (!). A public relations disaster ensued, leading to reputational damage and a $130 million (£99 million) fine from a UK court. It later became clear that Starwood acknowledged that its systems possessed significant security flaws well before the merger occurred, taking little action to remediate deficiencies during that time.[4]

Verizon’s acquisition of Yahoo for $4.48 billion also highlights the need for targeted cyber assessments in transactions. The deal almost fell through over two data-breach events that came to light in the midst of negotiations. In the first breach, a hacker stole the personal data of at least 500 million users, including some unencrypted passwords and answers to security questions. Later, it was believed that the hackers were allegedly aligned with Russian intelligence. This hack was accompanied by the discovery of a larger hack that occurred a year earlier and affected 1 billion Yahoo users. The full impact of these breaches came to light in 2016 when Yahoo submitted a filing with the Securities and Exchange Commission (SEC). Verizon still believed that the deal was a strategic move, despite the growing cybersecurity concerns. They lowered their initial price by $350 million due to Yahoo’s reduced valuation, closing at $4.48 billion. To cover breach-related costs, the agreement was revised to state that Yahoo would pay half of government investigation costs and fully absorb shareholder lawsuits and SEC investigations due to their lack of cyber insurance.[5]

Indicators of Compromise: If Marriott and Verizon had integrated a targeted cyber assessment in the due diligence process, they may have identified the Indicators of Compromise (IoC) in Starwood’s or Yahoo's systems. An IoC is an object or activity that, when detected on a network or device, indicates a high probability of unauthorized access (i.e. malicious activity). 

An IoC is a leading indicator of a potential breach in which a deal team could present management with 3 options: 

1. Terminate the transaction;
2. Delay the transaction to conduct further analysis; or
3. Reduce the acquisition price and/or rewrite the contract to compensate for any remediation, fines, or other costs. 

Therefore, a cybersecurity due diligence team needs to integrate a rapid targeted assessment of the target to determine key vulnerabilities and search for IoCs.

One of the key challenges for a deal team is to obtain, assess, and analyze the right information in order to develop a theory and a comprehensive detection strategy under time pressure. Therefore, PE teams should consider the following approach:

1. “Crown Jewels”: Identify The Most Sensitive Data and Critical Systems. The team should understand what assets are most valuable to the target, and therefore to malicious actors. Assets may include: sensitive data (e.g., PII, PHI, customer lists, etc.), trade secrets, schematics, prototypes, R&D, proprietary models and tools, critical systems, etc. It is critical to have a fully transparent view of the target company’s data in order to thoroughly assess the risk. The cyber team needs to understand how well these assets are protected, from segmentation on the network to encryption strength to the use of multi-factor authentication (MFA) as a part of Identity and Access Management (IAM)
2. Current State: Review Existing Cybersecurity Assessments and Audits. Cybersecurity assessments and audits, whether internal or external, offer valuable insight for the deal team to quickly understand the target company’s risk profile. If breach information is publicly available, then the team needs to determine whether remediation and enhanced security posture has been successful. On the other hand, the deal team needs visibility into undisclosed breaches, especially if these incidents could have a material impact on the deal. A company’s lack of a comprehensive data security program containing routine risk assessments, or repeat issues identified by audit, should raise red flags during the cyber due diligence process.
3. Pursue: Develop a Theory and Test it through a “Flash Audit”. Once the “crown jewels” have been identified (A) and the review of the current state is complete (B), the deal team now develops a theory about what threats and vulnerabilities the target is exposed to. The theory allows the team to deploy a targeted scan of systems using a bot to search out either known vulnerabilities or to search for IoCs. The bot can perform a Flash Audit of any IT Asset inventory to assess an organization’s cyber vulnerabilities providing an actionable summary of the security status, over a specific scope and timeframe. Flash Audits are well-suited for PE transactions since they are highly automated and require minimal resources.

Identifying a breach before executing a transaction is difficult, but well worth the effort given the adverse impact of “buying a breach.” Even if the cyber team does not find IoCs or a breach, they may nevertheless realize that certain areas require further investigation. If significant vulnerabilities are discovered during the due diligence process, companies can adjust their acquisition strategy and pricing. 

To learn more how Sia Partners can help you enhance transaction due diligence by deploying a cyberbot Flash Audit, please refer to our solution summary below. 

Sia Partners Data Science and Cyber Security experts have developed a light and fast solution that does not require any agent installation but uses existing inventory. Indeed, VM-Cyberbot can perform a Flash Audit of any IT Asset inventory to assess an organization's cyber vulnerabilities providing a complete and actionable summary of security status, over a specific scope and timeframe. 

More concretely, the audit relies on pre-calibrated fuzzy matching algorithms that will analyze an already existing IT asset inventory even with poor data quality and identify the existing vulnerabilities in real-time – collected through our Web Scraping technologies. VM-Cyberbot produces a global report immediately. Our Cyber professionals use these results to define an overall level of risk in order to make recommendations. 

Flash Audits are highly automated and require minimal resources. The transaction team simply needs to provide access to the IT asset inventory of the company.  Crucially, the audit does not require access to the company assets or any other confidential information. Depending on the number of assets, it takes just a few days for Sia Partners experts to check the inventory, run the model, and produce the results.

[1] https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic

[2] https://www.information-age.com/criminal-frank-abagnale-jr-123483861/

[3] https://www.ibm.com/security/data-breach

[4] https://news.marriott.com/news/2018/11/30/marriott-announces-starwood-guest-reservation-database-security-incident

[5] https://www.washingtonpost.com/news/the-switch/wp/2017/06/13/its-official-verizon-finally-buys-yahoo/