Information Security in Mergers & Acquisitions

Introduction

Chris Conacher BAE Systems BAE Systems, Airbus Intel Corporation KPMG LLP Black Hat Consulting

Key Learning Objectives Provide an understanding of critical Information Security risks within the Mergers & Acquisitions (M&A) process Provide an understanding of the need for Information Security in managing those risks Provide an approach that identifies key actions at various stages within the M&A process

General Learning Objectives Specific IS risks as they relate to M&A: Risk to your and the target organizations Risk in relation to phases of the M&A process Role of IS in managing risks: Preparation and development required Key questions IS should answer Key actions at key stages of the M&A process The different Phases in the M&A process

Relevance Sudden Change Profile Threat Model Form Sudden Impact Resources Mergers Acquisitions Spin Offs / Ventures / New Business Initiatives

Business Drivers Confidentiality Speed Business as usual Zero Impact Informed Business Decision on Risk

Risk

Threat in M&A Special Interest Groups – gain from M&A Financial Criminals Competitors Acquisition / Merger Company Disgruntled Employees General Interest Groups – gain from impact Everyone Else Script Kiddies Hackers / Crackers Hacktivists Terrorists Spies Your interest gets attacker’s interest

Risk Publicity and Profile Known Target due to impact on: Resources Technologies Infrastructure Confusion Absorption of “Soft Target” Disgruntled Employees One of the few times an Organization is really “shaken up”

Risk to You Change in threat model Change in risk model Impacting resources Absorbing unknown Disgruntled employees Creating new attack vectors Creating window of opportunity Business drivers can force this upon you very quickly

Are you equipped for change? Major overnight change in Threat Model Multi-site / Global Foreign Nationals Different technologies Different skill requirements Upgrade of data classification Ownership of intellectual property Ownership of controlled technologies Significant change in number of employees Legislative liabilities GLB, HIPAA, CA customers, etc. Do you know about the change?

Risk to Acquisition Change in threat model Change in risk model Impacting resources Absorbing unknown Disgruntled employees Creating new attack vectors Creating window of opportunity Business drivers can force this upon them very quickly Are they equipped for change Your interest gets Attacker’s interest!

Decisions Impacting Security Integration approach Absorption  Complete – protection against external threat  Zero – protection against internal threat Access Centralizing systems Integration deadlines Integrating custom applications Integrating new technologies Anything that annoys employees Re-Location

Importance of Confidentiality Premature Disclosure of Intent Loss of Key employees Bidding wars SEC Liability Loss of Initiative Loss of Goodwill Target Company 3rd Parties relationships Customer relationships

Importance of Availability Loss of Goodwill Loss of Reputation Customers 3 rd Parties Employees

Risk Management

Role of InfoSec in M&A Allow informed business decisions Risk & Risk Management Target Company value / cost / impact Protect Acquisition process confidentiality Protect your Organization from External threat using process impact Internal Target Company threat Protect Target Company from External threat using process impact Internal Target Company threat Protect Target Company assets Enable secure integration Minimize cultural impact Long Term security

InfoSec – Negative Impact Problems Time Cost Scares / Annoys Employees Feared Cultural Impact Solutions Preparation Early Involvement Clear distinction between Long & Short term solutions Costs may be tax write-off Education

InfoSec – Positive Impact Protects your negotiation position Protects liability (SEC) Protects what you are buying Additional skill-set in Due Diligence Liability - Legal Infrastructure cost – IT, Facilities Risk – Information Security Information Asset Confidentiality / Integrity Audit depth – Skeletons 3rd party involvement Assess additional long term costs

Basic Security Strategies Current backups of all critical data and verify before sign-off Sanitize the environment Treat target company as 3 rd party Separate and secure all critical data Separate and secure all critical systems Migrate custom applications to COTS Identify key employees Mitigate risk through contracts Contract short term staff

Non-Compete Agreements 10 year Date of leaving Identify key individuals and require them to sign on the spot – make it a deal breaker Sign up whole family if necessary Make employee non-competes under the laws of a state that will enforce them

Policies Safeguards against Disgruntled Employees New employee contracts Are your policies relevant? Are you ‘dumbing down’ their security? Existing employee contracts Do they protect you? Do they meet new relationship? Identify key policies – yours / theirs Work with legal

6 Phase Approach Pre-Target Target Due Diligence Sign-Off Integration Post Integration

PhasePre-TargetTargetDue Diligence Sign-OffIntegrationPost- Integration ThreatCriminals Competitors Criminals Competitors Acquisition Criminals Competitors Acquisition Disgruntled Employees Criminals Competitors Acquisition Disgruntled Employees Everyone Else AssetYours Yours/Theirs AttackCCCCIA Phases & Threats Threat Profile Low High

Pre-Target Phase Develop support for InfoSec’s involvement Secure your environment Educate M&A team regarding risks Secure M&A processes, systems and data Provide specific tools & training Develop key policies Acceptable use Discuss integration solutions with IT Define rolls and responsibilities within M&A project team Develop communications processes Foreign nations impact Infrastructure difficulties Communications Restricted Technologies Be ready to roll

Information Security Toolkit Audit Baselines Security Awareness training materials What, why, who and how Fundament security mechanisms Password distribution Bolt in technological solutions Secure server Firewall Anti-Virus Physical security solutions Cryptographic solutions Replacement COTS

Target Phase Understand the Business Modify toolkit Modify solutions Communicate potential areas of risk Special considerations

Due Diligence Phase Determine location of Key Assets Porous Perimeter Laptops, home workers, 3 rd parties Determine security of Key Assets Determine perimeter Identify key processes, systems and assets Identify Key Employees Determine Employee terminations Prioritise actions Report potential risks to senior executives Detailed audits can be disguised Agreement on baselines allowing integration

InfoSec should determine The risk to your Organization Confidentiality, Integrity and Availability of the target Assets Major risks to the target Assets Methods for short term protection Methods for long term protection Financial cost Resource cost Relevance of existing safeguards Applicability of policies

Sign-Off Secure key processes, systems, assets Back-Ups Secure server Firewall Anti-Virus Patches / Updates Internet facing systems Employee contracts Non-Complete Agreements

Integration Secure project team deployment Intra-Company communication defined Deploy security training Sanitizing the environment Applying security patches, Viruses, Trojans, Backdoors, Insecure code Migrate applications Migrate data Short term safeguards Policies Secure server Integrate when ready

Securing the Project Team Education Physical Security – On acquisition site Controlled access – Equipment, files Personal printer, fax, phone Logical Security VPN Dial-Up – Care using Target network Encryption – Network, , Disk Secured laptops Voice Communication Use Cell Phones

Post-Integration Prioritise Assets Systems Processes Complete Audits Analysis Safeguard deployment

Summary Develop InfoSec involvement Understand the Threat Be ready to go Understand Phase implications Inform Organization of specific risks Identify & Secure key processes Identify & Secure key property Distinguish Long & Short term solutions Develop drop in solutions Avoid Cultural impact Avoid Business impact

Questions?

Black Hat contacts Chris Conacher Black Hat Consulting Jeff Moss President & Founder Michael Bednarcyk CEO Black Hat Consulting General Information Fax: