Cyber in M&A: Controlling Risk

When you are acquiring a company, what sort of steps should you take to limit cyber risk within your target?  What do the big boys do?

Lawyers always will insert warranties, representations and indemnities in acquisition agreements but, on the ground, what should a business do?  This issue was addressed at the September 27 ACG Boston breakfast, where Kevin Neifert, Raytheon’s CIO, described how Raytheon protects itself in its numerous acquisitions.

Statistically, smaller companies (prone to being acquisition targets) are also prone to cyber-attack; 58% of all cyber breaches last year occurred in the category of “small businesses,” according to the industry-valued Verizon Report.

Raytheon has a rigid M&A policy (not an IT policy).  IT gets involved at an early stage and doesn’t wait for the deal to become firm.  Further, Raytheon specifically admonishes its people not to tell an acquisition target that “we will leave you alone.”  In fact, Raytheon acquisitions will be entirely integrated, from a cyber-standpoint as well as an operational standpoint, according to a rigid 18-month policy requirement.  During the acquisition process, Raytheon will undertake a standard security check according to their own internal checklist.  What happens as soon as a deal closes?  Even before the press release, Raytheon descends on the executives of the target because, apparently, hackers believe that the best way to be able to infiltrate the acquirer is through the busy and unsuspecting executive level of the target.

What does cyber integration mean?  If there is any thought that hacking has occurred, key data will be extracted from the target equipment, and installed on Raytheon equipment and the target equipment will be jettisoned.  It means that all personal computers will be replaced.  It means that in-person training is given to all target employees, because most problems arise through email staff not dealing appropriately with email content.

What about the cloud?  It seems that Raytheon, and apparently other larger companies, are getting more and more comfortable in placing everything on the cloud.  Because of the scale of what appears on the cloud, the most robust and updated protections for data security will be constantly applied, and being in the cloud is just going to be safer than what any given single company is likely to be able to achieve.

Are not mobile devices the biggest risk?  The answer for Raytheon is “no” because by “mobile device management” it is possible to wipe clean the contents of cell phones and iPads.  The computers are the problem, and that is why all target computers are discarded upon acquisition.  (When travelling abroad, Raytheon people are given a clean PC with the data they need for their particular trip encrypted on a thumb drive; nothing is connected back to Raytheon.)

Great question from the floor: what are the two biggest vulnerabilities of smaller companies?  Answer: first, employees must be trained not to click through on any links because you cannot be sure who sent them, even if they appear to be internal; and second, take a look at the gear that is utilized within your company because most of it is likely accessed through the original default user name and password; apparently things like routers are given a user name that is “user name” and a password “password” as default settings and these devices need to be updated immediately.


Leave a Reply

Your email address will not be published. Required fields are marked *