Protecting your next investment: The importance of cybersecurity due diligence

Transcription

1 Protecting your next investment: The importance of cybersecurity due diligence Oct. 11, 2018 Baker Tilly Virchow Krause, LLP. All rights reserved. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

2 Agenda 01 Risks associated with weak cybersecurity 02 Cybersecurity assessment for an acquisition target 03 Managing cybersecurity post acquisitions 2 Baker Tilly Virchow Krause, LLP. All rights reserved.

3 Introduction Organizations continue to struggle preventing and defending against cybersecurity incidents > Average cost to recover from a data breach: $3.6M 1 > Malware and mobile devices continue to be among the leading culprits... Opportunities to increase safeguards and train employees on safer practices > Fines for HIPAA violations have real impact: up to $5.5M 1. AT&T Cybersecurity Report 3 Baker Tilly Virchow Krause, LLP. All rights reserved.

4 Risks associated with weak cybersecurity

5 Motivation for cyber crime The cyber crime triangle: An attacker must have opportunity/access: - Flaws in the security plan/network - Holes in software program - Physical proximity to network components If there is no opportunity to intrude, the would-be hacker will go elsewhere. An attacker must have a reason: - Financial = 76% - Espionage < 15% - Fun < 5% - Ideology < 3% Source Verizon 2019 Data Breach Investigation report MOTIVE To exploit the vulnerability an attacker must have: - Tools - Talent: 50% of attackers are members of organized crime 12% are nation-state affiliated actors 5 Baker Tilly Virchow Krause, LLP. All rights reserved.

6 Opportunity = attack surface Vulnerabilities Traditional weaknesses: Misconfigurations Insufficient input validation Incorrect permissions and etc. New generation attacks: Malware attacks on internet connected infrastructure Phishing attacks Ransomware Botnet attacks OPPORTUNITY Malware attack on Target Corporation s point of sale (POS) system estimated to be over $100 million USD. It showed that segmentation of internet connected devices from the important business applications is absolutely necessary. Phishing scams cost American businesses $500 million USD per year Wannacry infected over 200,000 computers across 150 countries and cost over $4 billion USD combined Example of costs Recent Botnet attack using Internet of Things devices cost $68 million USD in less than seven hours 6 Baker Tilly Virchow Krause, LLP. All rights reserved.

7 Occurrence Cyber risk landscape MAX Cyber Business Risks (In Priority Order) Healthcare Retail R1 Data Breach using POS R4 Human error R6 Web Application attacks R2 Social Engineering Scams R2 Social Engineering Scams R1 Data Breach using POS R3 Payment Card Skimmers R5 Phishing R8 Denial of Service R4 R5 Human error Phishing R7 Manufacturing Cyber espionage R3 Financial Payment Card Skimmers Min R6 R7 R8 Web Application attacks Cyber espionage Denial of Service R2 R5 Social Engineering Scams Phishing R2 R5 Social Engineering Scams Phishing Source Verizon 2019 Data Breach Investigation report 7 Baker Tilly Virchow Krause, LLP. All rights reserved.

8 Bad cybersecurity negatively impacts deal According to a 2016 NYSE and Veracode survey of public company directors: 85% 52% 22% said the discovery of major security vulnerabilities was either very likely or somewhat likely to affect an acquisition said a breach would significantly lower a target s valuation wouldn t consider acquiring a company that recently experienced a significant data breach Source: Cybersecurity in the Boardroom survey NYSE and Veracode: 8 Baker Tilly Virchow Krause, LLP. All rights reserved.

9 Case study Yahoo! Case: On July 23, 2016, Yahoo! and Verizon entered into a stock purchase agreement. Later it was revealed that since 2014, Yahoo! has been a victim of two data breaches. Original deal: Verizon was to pay $4.83 billion USD in cash Result: After cybersecurity incident, Yahoo!: a) reduced the price by $350 million USD b) Yahoo! is responsible for all liabilities arising from shareholder lawsuits and SEC investigations related to the two cyber incidents c) Yahoo! and Verizon are each responsible for 50 percent of any non-sec liabilities 9 Baker Tilly Virchow Krause, LLP. All rights reserved.

10 Case study Women s Health Care Group of PA Case: On July 18, 2017, WHCGPA announced they had been attacked and there was a possible breach of ephi. Breach occurred during merger process with another regional health provider. Original deal: Private deal, no terms disclosed Result: Incident is under investigation by the Office of Civil Rights a) Potential for up to 300,000 compromised patient records b) Fine could be up to $1.5M Incident also required external specialists to complete forensic analysis 10 Baker Tilly Virchow Krause, LLP. All rights reserved.

11 Assessment of cybersecurity for an acquisition target

12 Assessment approach Cybersecurity due diligence may reveal deal-breakers. Issues identified may change a target s value or identify a need to establish security practices to prevent potential losses in the future. Assessment of cybersecurity risk management practices Reconnaissance Looking at information available outside the target Vulnerability assessment 12 Baker Tilly Virchow Krause, LLP. All rights reserved.

13 Assessment of cybersecurity risk management Risk-based approach to evaluate the four key components of cybersecurity: Utilizing one of the widely recognized industry frameworks for cybersecurity helps to: Process Understand the current cybersecurity risk profile in the organization Assess the design and effectiveness of the organization s cybersecurity program People Technology 13 Baker Tilly Virchow Krause, LLP. All rights reserved.

14 Looking at information available outside the target Reconnaissance objectives > Build an organizational profile and identify targets > Define the network footprint > Identify potential motivation > Identify generic vulnerabilities Passive reconnaissance Personnel reconnaissance Dark web Can tech debt and out-of-date systems be identified from the public internet? Is private or potentially targetable information about key personnel available? Is already-breached data from the company available 14 Baker Tilly Virchow Krause, LLP. All rights reserved.

15 Vulnerability assessment Objective Conduct network review and analysis to determine internal and external network vulnerabilities and risks Resilience Disaster recovery capability, security of back-ups and ability to restore key functions Services Security patch effectiveness and known vulnerabilities Access controls Multifactor authentication and segregation of duties Network Assessment Points of access VPNs, wireless access and modem connections 15 Baker Tilly Virchow Krause, LLP. All rights reserved.

16 Managing cybersecurity across the portfolio post acquisition

17 Barriers to security success In today s constantly changing cybersecurity landscape, it is difficult to find a single leader to meet a company s needs today and into the future. Attracting and retaining the right talent in a ultra-competitive cyber labor market. Keeping cyber leaders engaged is a challenge. Leadership Skill Set To be effective, a cyber program must have access to a wide range of specific skills. As the threat evolves, this skills portfolio must constantly adapt to meet the threat. Designing a long-term sustainable program within a company s budgetary constraints can be challenging. Cost Strategic vs. Tactical A world-class cyber program needs to dynamically address both strategic and tactical cybersecurity issues 17 Baker Tilly Virchow Krause, LLP. All rights reserved.

18 Sustainable cybersecurity services model Strategy and program management Virtual Chief Information Security Officer (vciso) > Flexible > Scalable > Sustainable > Resilient Detect Cybersecurity monitoring Incident response On-demand or retained Validate Integrated Security Testing 18 Baker Tilly Virchow Krause, LLP. All rights reserved.

19 Operations C-Suite BOD Strategy and program management Strategic cyber advisory Strategic VCISO The model is flexible enough to address both strategic and operational components of cybersecurity From the BOD to operations, Virtual CISO provides holistic security management Operational VCISO 19 Baker Tilly Virchow Krause, LLP. All rights reserved.

20 VCISO benefits Fractional resources Flexible Skill set, expertise, technology Scalable Meet spikes in demand 20 Baker Tilly Virchow Krause, LLP. All rights reserved.

21 Cybersecurity monitoring service CYBERSECURITY MONITORING Threat intelligence Updated rules System logs EXTERNAL (internet) Firewall INTERNAL (network) 21 Baker Tilly Virchow Krause, LLP. All rights reserved.

22 Cybersecurity monitoring benefits Visibility into your network Know what is happing Detect Quickly detect and drill down to root cause Block Stop malicious traffic and reduce exposure quickly Sustainable in the long run 22 Baker Tilly Virchow Krause, LLP. All rights reserved.

23 Incident response Retained > Guaranteed response time > Reduced rates > Compliance requirements > 24/7 Support 5 PREVENT 1 DISCOVER INCIDENT 2 RESPOND AND CONTAIN On Demand > Flexibility > Rapid response > Negotiable support > Pay for what you use 4 REMEDIATE 3 INVESTIGATE 23 Baker Tilly Virchow Krause, LLP. All rights reserved.

24 Incident response benefits Holistic approach Response, investigation, mitigation Flexible Retained and on demand models Threat intel / best practices sharing 24 Baker Tilly Virchow Krause, LLP. All rights reserved.

25 Integrated security testing After an acquisition, regular testing, awareness exercises, and reconnaissance offered by the Integrated Security offering would provide information on cyber risks of current portfolio and open discussion about future risk appetite Initial reconnaissance Network illumination Threat modeling Testing Build a profile of the organization. Identify worthy targets. Understand the network footprint, potential motivations and generic vulnerabilities. Identify network components leveraging covert and overt scanning techniques. Identify vulnerabilities existing in the current infrastructure configuration. Identify potential vectors of attack. Prioritize threat models based on ease of exploit and value of targets. Conduct a cyberattack simulation for high-risk threat models. Identify weaknesses and recommend security enhancements. 25 Baker Tilly Virchow Krause, LLP. All rights reserved.

26 Integrated security testing benefits Holistic approach Threat modeling Flexible Adjusts to current threats Identify weaknesses that need attention 26 Baker Tilly Virchow Krause, LLP. All rights reserved.

27 Key takeaways Cybersecurity risk can impact a deal Unexpected costs and fines could impact valuation Four top cybersecurity aspects to assess as part of due diligence 1. Existence and effectiveness of the cybersecurity management program 2. Richness of the target environment 3. Vulnerabilities in current architecture 4. Extent and significance of any known incidents Effective management of cybersecurity across the portfolio 1. Executive level oversight for strategy and operations 2. Detection capability 3. Incident response 4. Ongoing validation of safeguards 27 Baker Tilly Virchow Krause, LLP. All rights reserved.

28 Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International Baker Tilly Virchow Krause, LLP. 28 Baker Tilly Virchow Krause, LLP. All rights reserved.