Ransomware attacks will continue to increase against critical infrastructure companies because the ransomware business model is too profitable to go away anytime soon. It fits within a disruptive hybrid war framework, which is why ransomware gangs often receive air cover from nation states.
In the past year, we've seen a 437% increase in ransomware attacks, with many of those breaches occurring after a merger or acquisition announcement. Ransomware groups target private equity portfolio companies in the middle of acquisition activity for the same reason why people rob banks. It’s where the money is. Cyber criminals recognize that private equity firms have more resources to pay up compared to a smaller stand-alone organization without a strong balance sheet. Typical ransomware attacks can cost tens of millions of dollars for a larger firm due to ransom demands, loss of revenue, legal fees, incident response costs, hardware/software replacement, and increased cyber insurance premiums.
M&A also creates a period of transition, where new ownership and leadership teams are coming into or out of their roles. This transitional phase presents a perfect opportunity for cybercriminals to attack.
Be aware that cyber attackers are sophisticated in their use of publicly available information and may be tracking M&A activity along with the types of cyber defense a target acquisition has in place. These days it’s simple to profile via the Internet how many information security people are on staff, what tech stacks and tools a company has in place, and what stresses on the business make it an easy target.
The goals of an attacker may include intellectual property theft, ransom demands, or physical destruction of property if an attack targets operational technology (OT) systems. In an attack on an OT system, they could potentially tamper with a physical process, as we saw in the Florida water facility attack, or disable safety systems, as we saw in the TRITON/TRISIS attack or Russia’s attack on the Ukrainian power grid.
Company owners, CEOs, and boards of directors are also now being held responsible for a lack of security oversight following a breach. Here’s what you can do to ensure cybersecurity controls are in place before a merger, target acquisition, or divestiture:
1. Evaluate cyber-risk as part of your due diligence process.
This should be a requirement for any company looking at a target acquisition — to evaluate cybersecurity maturity levels, incremental risks, and external cyber liabilities within a target portfolio company before finalizing and announcing the M&A. Acquirers should ask the following questions:
Having a cyber due diligence process will help determine if any significant gaps need to be remediated before proceeding.
2. Create an incident response plan.
If you are compromised, knowing priorities ahead of time lets responders get through the recovery process faster and with less impact than if they need to spend the first 24-72 hours figuring out what needs to be done. Create a checklist of who is responsible for which functions. Often, the simple act of communication is missed during an incident, which can lead to additional spread of malware.
Having asset and network details for critical systems is another important piece of the response plan. In a crisis, you won't have the time to determine if you can do estimated billing when you lose your real-time data. The middle of an emergency is not the ideal time to decide if you can continue to operate with this system or that.
3. Don't present the acquisition as a soft target.
Beefing up your company’s security profile is the equivalent of putting a security company sign in your front yard to signal you have an alarm system. If it appears there is no infosec function and limited cybersecurity investments, the company may be that soft target cybercriminals are seeking. If possible, have all cyber defenses in place before going public with your merger announcement. That press release may feel good, but if cybersecurity levels are substandard, it might be best to hold off until the prospective acquisition has strengthened its defenses.
Here's the bottom line. During your due diligence process, if you find that a target acquisition has made insufficient investment in cybersecurity or does not have a documented incident response plan, you may want to hold off on finalizing the deal until you can determine what resources are required to mitigate cyber-risk inside the company — and build that into your negotiations.
Evaluating cyber risk as part of the standard due diligence process is now a requirement for private equity firms with critical infrastructure portfolios. Industrial Defender’s M&A Cyber Diligence Service enables private equity firms to identify potential cybersecurity risks in a target acquisition that would have material impact on the deal structure. Our service rapidly evaluates cybersecurity maturity levels, incremental risks and external cyber liabilities within a target acquisition through self-reporting and third-party verification services. Industrial Defender can also provide more in-depth evaluations pre- or post-acquisition.
To learn more about how you can put this into practice, check out this solution brief to see how our M&A Cyber Diligence service can help you quickly evaluate cyber risk as part of the standard due diligence process. We have also developed a cyber security ROI cost calculator based on real world data on what a ransomware attack can cost a PE backed firm. You can access the ROI calculator here.
You can also schedule time to chat with one of our cyber risk consultants here.