New Security Assessment Practice Determines Readiness for Safe Integration and Identifies Cyber Risks to Consider During M&A Transactions

CrowdStrike Inc., a leader in cloud-delivered next-generation endpoint protection, threat intelligence and incident response services, announced today that it is offering a new cyber risk assessment program aimed at businesses that conduct mergers and acquisitions (M&A).  The CrowdStrike Services’ “M&A Cyber Risk Assessment” program allows organisations to quantify risk in an area not traditionally considered in the M&A process – cyber risk. This program provides risk management, specifically geared to identifying and minimising exposure to cybersecurity threats before and during the company integration process.

CrowdStrike’s assessment methodology uncovers cyber risks associated with the following scenarios, among others, that are common during a merger or an acquisition:

• The value of the prospective partner’s business may be materially reduced if its network has been compromised and its intellectual property has been stolen and exploited by cyber adversaries—your competitors.
• An acquiring company may inherit massive liabilities if the prospective partner’s environment has been breached and customer data has been pilfered.
• The risk of adversaries gaining access to your business-critical systems is introduced by merging your network and IT systems with a partner organisation that has cyber vulnerabilities. A significant investment may be required to bring the partner organisation’s security controls up to an acceptable level.
• The company being acquired could lack the level of cybersecurity maturity that matches the acquiring organisation’s current security strategy, which can introduce unintended vulnerabilities. This captures cybersecurity risks that may materialise in the future without efforts to modify corporate culture and education.
• The acquiring company may also already be compromised or have vulnerabilities that can be exploited to gain access to their network and sensitive data. This captures the cybersecurity risk associated with infecting the new environment being integrated.
• Companies that engage in divestitures, selling assets or spinning off business units are also engaged with any number of third parties as part of the process, which may leave sensitive information vulnerable to theft at numerous junctures.

“The premise behind the CrowdStrike Services M&A Cyber Risk Assessment program is simple: You would never purchase a house without an inspection, so why would you invest millions of dollars in a business without properly assessing its cyber security posture?” said Shawn Henry, president of CrowdStrike Services and chief security officer. “Any merger or acquisition scenario poses significant risks given the investment and brand implications, along with the future of both companies involved. Vetting the cybersecurity readiness of the involved parties – including third-party organisations like law firms and financial services – should be a standard element of M&A or investment activity, particularly when it involves the integration of networks.”

“If an acquirer does not conduct comprehensive due diligence, at best they may find themselves investing unexpected, unbudgeted, and significant money to improve the weak data security of an acquisition,” said David Zetoony, chair of Bryan Cave LLP’s Data Privacy and Security Practice.  “At worst they may find that they have inherited a data security breach, or have exposed their own networks as part of integration to a data security breach. You can never be sure about the security of a target’s system, but quantitative independent and objective analysis of a potential target provides far more certainty than asking sellers to complete written questionnaires that only reflect their own knowledge and understanding.”

Before the M&A process begins, CrowdStrike evaluates the client and third-party environments for signs of current or past compromise by deploying Falcon Host to gain further visibility into endpoint activity in near real-time. Falcon Forensics Collector is also used to gather system metadata and artifacts for analysis, and network-based monitoring tools are applied to information egress points to gain visibility into potentially malicious traffic entering and exiting the networks. Finally, as part of the Cybersecurity Maturity Assessment framework, Crowdstrike is able to draw upon a rich data set to provide a unique perspective in the form of a zero to five scale that generates a more detailed picture of an organisation’s cybersecurity capabilities in comparison to organisations of a similar size and industry. Combined, CrowdStrike searches data from host systems for evidence of attacker activity and then collects, analyses and creates a report of findings focusing on indicators of compromise related to known attacker tools.

Click here to find more information about the new CrowdStrike Mergers and Acquisitions Cyber Risk Cyber Risk Assessment Program.

The CrowdStrike Elevate Partner Program offers businesses and organisations the ability to integrate various CrowdStrike products and services into their offerings, including the M&A Cyber Risk Assessment.