ARTICLE | July 19, 2022
Authored by RSM US LLP
Bridging the gap in cybersecurity and M&A
Cybersecurity gaps can be dangerous for companies focused on growth and M&A
Cybersecurity vulnerabilities can threaten businesses of all sizes, but for middle market firms busy with growth and mergers and acquisitions, these lapses can be especially dangerous.
RSM advisors recently spoke with the Association for Corporate Growth to discuss ways cybersecurity has changed since the start of the pandemic and how the middle market can protect itself from the cyber risks facing businesses today. Topics included the intersection of cybersecurity and M&A, why threat actors are targeting companies undergoing an acquisition, and what buyers can do after a transaction to ensure they have the right cybersecurity infrastructure in place.
This interview has been edited for clarity and length.
Q: Since the start of the pandemic, which developments have had the biggest impact on cybersecurity for midsize businesses?
A: The biggest impact was the sudden shift to the cloud. The demands of everybody going remote meant moving to the cloud pretty rapidly. A lot of times, because there wasn’t the opportunity to properly look at what that looks like, put in the secure architecture, and take the time to properly build an infrastructure, infrastructure and security ended up being an afterthought because of the need to continue with business operations.
That was March 2020. As we closed out 2021 and began 2022, we saw that impact, where some things were missed in that intense need to go remote. Did we have secure architecture in place? Did we completely secure our S3 buckets in AWS (Amazon Web Services)? Did we close the hole on all the different services?
The other thing was the so-called Great Resignation. We see a break in continuity of experienced professionals. If one person managed your IT infrastructure for 10 years and suddenly they leave, that’s an incredible gap to fill—and that’s what we saw across the board, across all industries.
We also saw the desperate need for more IT professionals, cybersecurity professionals and experienced professionals to deal with the sudden transition to the cloud. There just aren’t that many out there. We’ve had that gap in the talent pipeline in the cybersecurity industry for many, many years now.
Everybody’s being affected by the rise in threat actors taking advantage of lack of infrastructure or aging or older infrastructure, insecure infrastructure, and the lack of people. We see ransomware attacks up 400% over the last year. All of this is converging in a perfect storm, where the last two years have kept us very busy in the cybersecurity field.
In addition, 2021 concluded with one of the largest vulnerabilities in history, affecting just about every application on the internet and keeping incident responders very, very busy.
Q: How are companies tracking threats and keeping an eye on the security infrastructure when they may not have the right roles filled at this time?
A: We’ve seen the rise of third-party vendors and managed service providers like RSM—our own RSM Defense launched this year. You have what’s considered a managed SOC—a managed security operations center—and a dedicated team of incident responders who are monitoring when these alerts come in and say, are we suddenly having a denial-of-service attack on our firewall?
That frees up your internal personnel if you don’t have enough people if you’re a smaller business. Again, if you just can’t have the talent, outsource it. Managed service providers have enough people with visibility—they have a larger team and can keep their eye on the ball. With this increased depth of capabilities, many companies are shifting to managed services, sometimes called an MSSP (managed security service provider).
That has been one of the biggest things that have helped a lot of businesses from 2020 and 2021. And it’s likely to continue through the remainder of 2022 as cybersecurity becomes critical to business operations.
Q: What impact have some of the challenges related to renewed ransom attacks, the Great Resignation, and the talent shortage had on mergers and acquisitions?
A: Interestingly, the SEC and the FBI issued an alert last year, around October, that threat actors are specifically targeting SPACs, IPOs, mergers and acquisitions, and any companies in the final stages of either going public or being acquired. They want financial data. They want to influence the stock price. They want to influence the purchase price.
Private equity companies are now very concerned about not only whether a company they take on or acquire can generate revenue, but will they be a cybersecurity risk? Will the company suffer a potential breach or ransomware attack before an acquisition takes place? Because then the private equity company will have to handle the aftermath and the cleanup, and that’s very costly. This is one of the biggest shifts when it comes to venture capital, private equity, mergers, and acquisitions: Cybersecurity has taken a very significant role alongside all the other factors.
The SEC added cybersecurity to its requirements for companies going public. In preparation for an IPO or for acquisition, from the cybersecurity standpoint, are you prepared to meet all the regulations? Are you prepared to go public with your current infrastructure? And how secure is it right now?
Q: What are some things the buyer should do to optimize the asset they just bought? What should they focus on from a cyber perspective?
A: Companies should do an overall security assessment. A simple gap analysis can show where a company stands. The biggest thing is continuity—we call it business continuity in the cybersecurity industry.
If you have an acquisition where an IT person has been there for 10 years, maybe they’re not happy about this new purchase. If they leave, that’s a big deal. So focus on your people and identify the key individuals for infrastructure, cybersecurity, and technology, and what you can do to make sure either they stay or you have a proper transfer of knowledge and can replace those individuals.
Right before a merger, acquisition, or IPO, and then right after, are some of the most critical times. That’s where companies are most vulnerable—that high-stress-anxiety transition time. Companies on both sides should absolutely do what they can to try to make their people feel comfortable.
The lack of transparency in transactions can leave people wondering, do I have a job? What’s going on? What does the new company want? The situation could cause a lot of distress. So making sure that your people feel comfortable and like they have a place in the new environment is very important.
You also don’t want to drop the ball when it comes to maintaining infrastructure patching, getting eyes on your assets, incident response, etc. Don’t let your guard down. You may find that the company didn’t have all the resources they stated or maybe they didn’t have a cybersecurity program—that’s where that gap analysis can come into play. You can identify vulnerabilities and start to fill in those gaps, protect the perimeter of the company, and make sure you have protection.
Q: How can companies get an organization on board with cybersecurity priorities and build a culture around cybersecurity?
A: That is the million-dollar question—something the entire cybersecurity industry, frankly, struggles with. It comes from the top down. Leadership has to really care about and understand cybersecurity. They have to make it a priority. Cybersecurity shouldn’t be an afterthought.
Compliance is a great way to start. However, that only looks at certain aspects. So, for instance, with PCI (the payment card industry), only the assets that are in scope for PCI are looked at. Well, what about your other assets? They’re still vulnerable. You need to look at the entire picture.
Companies must make sure that the executive board and everybody at the top are aligned when it comes to cybersecurity, and understand the need for it. That also means good communication from IT infrastructure, and from cybersecurity to the executive board—making sure that those conversations are happening. Metrics and reporting can go a long way in trying to translate some of these complicated issues from cybersecurity.
Cybersecurity resources are often considered the no-fun police, but we have to explain why we are doing this—what is the purpose of these phishing exercises that may seem tedious? What’s the purpose of taking away local admin access from developers? Why are we making lives more challenging? That’s where companies must have that clear and transparent communication and metrics.
Reporting can really go a long way and demonstrate the value of your security team. Here are the threats we’re responding to. Here are the incidents we have been alerted to that we’ve prevented. Here’s the patch we’re putting in place. Here are the improvements we’re making to the business. This is how this is a good return on investment, in you investing in us, because here’s how we’re protecting the business.
Providing real-world examples is also important, to show similar companies—attacks and the fallout. Here’s the business loss. Here’s the revenue loss. We don’t want to have that happen to us. What do we do to make sure we’re protected against that? That can help drive the potential risks home to folks who are not technical.
Another big thing is that it’s getting really hard to get cybersecurity insurance. We have seen a drastic rise in premiums, and cybersecurity insurance companies are getting really strict about the requirements for coverage. They’re asking questions such as, do you have multifactor authentication everywhere? Do you have a vendor risk management program? Do you have a threat intel program? They’re getting down into the details, and they will verify that you have all this.
For example, one client had a recent attack and went to its insurance company for coverage, and the insurer went to verify that the company had antivirus software everywhere, as stated in its attestation. The insurer found one laptop without antivirus on it and denied coverage because of the wording that said the company had antivirus everywhere. It was an IT test laptop, but because it didn’t have antivirus on it, the company was denied coverage.
Those are the kinds of issues we’re seeing now. Many companies were dropped from their insurance because insurers got really stretched, especially after SolarWinds. Insurers are requiring due diligence, and will not offer coverage without a secure infrastructure. If you don’t do so-called reasonable security or due diligence, companies are not going to cover you. In fact, Barclays has now said they will not cover cybersecurity at all.
We’re going to continue to see this issue going forward, and it’s going to get stricter and a lot harder to obtain coverage. That’s unfortunate for the middle market, because the premiums are getting very high. If the price of the premium outweighs the return on investment on the coverage, we may see more companies go without cyber insurance in 2022 and beyond.
Q: Are companies allocating more dollars toward cybersecurity to qualify for insurance or to protect against potential threats?
A: Statistically, no. On average, the cybersecurity budget is still, at most, 8% of the IT budget. And already we know that the IT budget is not as big as it should be. So that’s still an issue, and still the trend across all industries and all companies.
The bigger companies have finally separated out cybersecurity, where it might have its own budget and IT has its own budget. The better way to handle things is to dedicate specific resources, because often when you carve a budget out of another budget, it can breed resentment.
For a cybersecurity engineer, IT counterparts should be partners. They’re going to help with the patching; they’re going to help maintain that infrastructure. So, it shouldn’t be a fight for resources between the two. Instead, it should be a totally separate budget.
But we’re still not seeing that drastic increase in budget and that prioritization. Cybersecurity is still considered a cost center rather than a critical piece to the business. However, once companies bridge that gap between the nontechnical executive board and your technology folks, we’re going to start to see some good improvements and see cybersecurity and IT Infrastructure as an investment, not necessarily a sunk cost.
That’s where things need to change. And that’s why cybersecurity needs to be pervasive throughout the company. You need to have a culture of cybersecurity, and that needs to come from the top.
Q: Are there any differences across industries in the attitudes toward cyber?
A: To an extent. Those differences are often driven by compliance requirements. For example, the government sector is very much driven by a multitude of compliance regulations and adherence to different standards. The government will literally not do business with you unless you adhere to its requirements. And government contracts can be particularly lucrative.
Other than that, in private industry or when it comes to issues with privacy, the fines are not creating a good enough incentive to drive changes. Compliance does help; it does absolutely have a role. Being a part of that does drive security to an extent. The government and the financial industry are probably the two of the strictest, followed by health care. Health care with HIPAA (the Health Insurance Portability and Accountability Act) and the financial industry with SOCs (security operations centers), PCI, SOC 2, etc., are directly tied to very strict compliance regulations. Standards are typically not as strict in other industries. And it all depends on the data companies are gathering.
Q: What cybersecurity trends that will really impact businesses over the rest of the year should investors or operators be aware of?
A: The cloud will continue to reign king as more and more companies shift there from on-premises data centers. The cloud is ending up being cheaper for companies, and it’s easier to maintain. We’re continuing to see the absolute need for application security as more and more companies are going to SaaS—software as a service.
We’re also going to continue to see this great shortage of cybersecurity people—specifically, experienced cybersecurity people—likely for a couple of years. Add to that the significant rise of threat actors, ransomware attacks, and massive critical portabilities that hit over the last two years, and we’re likely in for a rocky remainder of the year.
Hopefully, companies can take the lessons learned and everything we’ve seen in the last two years and finally be on board with making critical investments—updating aging and older IT infrastructure, investing in cybersecurity and starting to care about these things.
This article was written by RSM US LLP and originally appeared on 2022-07-19.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.