computer security

Auto Added by WPeMatico

Dragos raises $110M Series C as demand to secure industrial systems soars

Cybersecurity firm Dragos has raised $110 million in its Series C, almost triple the amount that it raised two years ago in its last round.

Dragos was founded in 2016 to detect and respond to threats facing industrial control systems (ICS), the devices critical to the continued operations of power plants, water and energy supplies, and other critical infrastructure. The company’s threat detection platform — its moneymaker — helps companies with industrial control systems defend against hackers trying to get into important operational systems. Its platform kicks out hackers that could shut down manufacturing lines or control energy supply systems, while its research arm keeps tabs on the hackers that can break into these highly complex and segmented industrial networks in the first place.

The startup’s latest round was led by National Grid Partners and Koch Disruptive Technologies, with both firms adding a member each to Dragos’ board. The round also saw participation from Saudi Aramco Energy Ventures and Hewlett Packard Enterprise, as well as return investors Allegis Cyber, Canaan Partners, DataTribe, Energy Impact Partners and Schweitzer Engineering Labs.

This latest round of funding will help the company with its go-to-market efforts, as well as growing its customer support team with 30 staff and building up its sales and marketing team. Lee said the company’s priority had been to work on its threat platform, and less selling it.

About one-third of the company’s employees work in software engineering to build its threat platform.

Dragos founder and chief executive Robert Lee said the pandemic, which forced vast swathes of the world to work remotely from home under lockdown restrictions, served as a wake-up call for companies with critical infrastructure.

“When you’re talking about critical infrastructure sites and people’s utilities, you need to put your best foot forward on the tech first,” he said.

Many companies were already trying to adapt with the digital age, but Lee said many companies realized they had underinvested in ICS security.

Dragos team picture

A team photo of Dragos employees. Image Credits: Dragos

Based just outside Washington D.C., Dragos now has over 220 employees and will be adding more, close to doubling its headcount since last year, and adding new offices in Melbourne, Dubai and in the United Kingdom.

Lee said the U.K.’s transition out of the European Union would all but ensure that the new U.K. office could not serve as an EU hub for the company, but that it was necessary to “to go where the problems are.”

Another one of those places is Saudi Arabia, one of the world’s largest oil and gas producers, where Dragos has an office and now draws an investment. Saudi oil and gas manufacturing plants have been the target of several cyberattacks, including the Trisis malware in 2017 that shut down one of the kingdom’s biggest petrochemical plants. But the country has faced extensive criticism for its human rights record by international rights groups. Lee said the company works to protect infrastructure that serves civilians and has actively rejected military contracts that would fall afoul of those values. “I don’t want to put asterisks on that mission,” he said.

Lee told TechCrunch that the company has grown at a rapid pace since it was founded four years ago.

“Our goal was never to get acquired,” he said. Echoing remarks he made last year, Lee said that the company’s plan was to continue growing and investing in the problems that Dragos sees — with an eventual goal to take the company public. “But we’re not rushed,” he said.

“The hallmark of Dragos being successful won’t be a successful IPO,” said Lee. “The hallmark will be having validated and built the market large enough that there can be other companies that come behind us serving the other more niche aspects of the ICS market and building out the community, and making sure our infrastructure is safer.”

Powered by WPeMatico

Ivanti has acquired security firms MobileIron and Pulse Secure

IT security software company Ivanti has acquired two security companies: Enterprise mobile security firm MobileIron and corporate virtual network provider Pulse Secure.

In a statement on Tuesday, Ivanti said it bought MobileIron for $872 million in stock — with 91% of the shareholders voting in favor of the deal — and acquired Pulse Secure from its parent company Siris Capital Group, but did not disclose the buying price.

The deals have now closed.

Ivanti was founded in 2017 after Clearlake Capital, which owned Heat Software, bought Landesk from private equity firm Thoma Bravo, and merged the two companies to form Ivanti. The combined company, headquartered in Salt Lake City, focuses largely on enterprise IT security, including endpoint, asset and supply chain management. Since its founding, Ivanti went on to acquire several other companies, including U.K.-based Concorde Solutions and RES Software.

If MobileIron and Pulse Secure seem familiar, both companies have faced their fair share of headlines this year after hackers began exploiting vulnerabilities found in their technologies.

Just last month, the U.K. government’s National Cyber Security Center published an alert that warned of a remotely executable bug in MobileIron, patched in June, allowing hackers to break into enterprise networks. U.S. Homeland Security’s cybersecurity advisory unit CISA said that the bug was being actively used by advanced persistent threat (APT) groups, typically associated with state-backed hackers.

Meanwhile, CISA also warned that Pulse Secure was one of several corporate VPN providers with vulnerabilities that have since become a favorite among hackers, particularly ransomware actors, who abuse the bugs to gain access to a network and deploy the file-encrypting ransomware.

Powered by WPeMatico

Decrypted: Apple and Facebook’s privacy feud, Twitter hires Mudge, mysterious zero-days

Trump’s election denialism saw him retaliate in a way that isn’t just putting the remainder of his presidency in jeopardy, it’s already putting the next administration in harm’s way.

In a stunning display of retaliation, Trump fired CISA director Chris Krebs last week after declaring that there was “no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised,” a direct contradiction to the conspiracy-fueled fever dreams of the president who repeatedly claimed, without evidence, that the election had been hijacked by the Democrats. CISA is left distracted by disarray, with multiple senior leaders leaving their posts — some walked, some were pushed — only for the next likely chief to stumble before he even starts because of concerns with his security clearance.

Until yesterday, Biden’s presidential transition team was stuck in cybersecurity purgatory because the incumbent administration refused to trigger the law that grants the incoming team access to government resources, including cybersecurity protections. That’s left the incoming president exposed to ongoing cyber threats, all while being shut out from classified briefings that describe those threats in detail.

As Biden builds his team, Silicon Valley is also gearing up for a change in government — and temperament. But don’t expect too much of the backlash to change. Much of the antitrust allegations, privacy violations and net neutrality remain hot button issues, and the tech titans resorting to cheap “charm offenses” are likely to face the music under the Biden administration — whether they like it or not.

Here’s more from the week.


THE BIG PICTURE

Apple and Facebook spar over privacy — again

Apple and Facebook are back in the ring, fighting over which company is a bigger existential threat to privacy. In a letter to a privacy rights group, Apple said its new anti-tracking feature will launch next year, which will give users the choice of blocking in-app tracking, a move that’s largely expected to cause havoc to the online advertising industry and data brokers.

Given an explicit option between being tracked and not, as the feature will do, most are expected to decline.

Apple’s letter specifically called out Facebook for showing a “disregard for user privacy.” Facebook, which made more than 98% of its global revenue last year from advertising, took its own potshot back at Apple, claiming the iPhone maker was “using their dominant market position to self-preference their own data collection, while making it nearly impossible for their competitors to use the same data.”

Powered by WPeMatico

Animal Jam was hacked, and data stolen; here’s what parents need to know

WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.

Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.

Here’s what we know.

WildWorks said in a detailed statement that a hacker stole 46 million Animal Jam records in early October but that it only learned of the breach in November.

The company said someone broke into one of its systems that the company uses for employees to communicate with each other, and accessed a secret key that allowed the hacker to break into the company’s user database. The bad news is that the stolen data is known to be circulating on at least one cybercrime forum, WildWorks said, meaning that malicious hackers may use (or be using) the stolen information.

The stolen data dates back to over the past 10 years, the company said, so former users may still be affected.

Much of the stolen data wasn’t highly sensitive, but the company warned that 32 million of those stolen records had the player’s username, 23.9 million records had the player’s gender, 14.8 million records contained the player’s birth year and 5.7 million records had the player’s full date of birth.

But, the company did say that the hacker also took 7 million parent email addresses used to manage their kids’ accounts. It also said that 12,653 parent accounts had a parent’s full name and billing address, and 16,131 parent accounts had a parent’s name but no billing address.

Besides the billing address, the company said no other billing data — such as financial information — was stolen.

WildWorks also said that the hacker stole players’ passwords, prompting the company to reset every player’s password. (If you can’t log in, that’s probably why. Check your email for a link to reset your password.) WildWorks didn’t say how it scrambled passwords, which leaves open the possibility that they could be unscrambled and potentially used to break into other accounts that have the same password as used on Animal Jam. That’s why it’s so important to use unique passwords for each site or service you use, and use a password manager to store your passwords safely.

The company said it was sharing information about the breach with the FBI and other law enforcement agencies.

So what can parents do?

  • Thankfully the data associated with kids accounts is limited. But parents, if you have used your Animal Jam password on any other website, make sure you change those passwords to strong and unique passwords so that nobody can break into those other accounts.
  • Keep an eye out for scams related to the breach. Malicious hackers like to jump on recent news and events to try to trick victims into turning over more information or money in response to a breach.

Powered by WPeMatico

Decrypted: Grayshift raises $47M, Apple bugs under attack, video game maker hacked

The election is over, but not without a hitch or two. Some voters in Georgia and Ohio had to use paper ballots after hand sanitizer leaked into voting machines — an unexpected casualty of the pandemic. And a slew of robocalls across a number of swing states urged voters to “stay safe and stay home,” in an effort to disenfranchise voters from going to the polls. With record voter turnout, there’s little evidence to show it worked.

But we saw nothing like the hack-and-leak operations like we did four years ago, which delivered an “October surprise” that derailed the election for Hillary Clinton, despite winning the popular vote by three million votes.

Government officials and cybersecurity firms said there were no significant or damaging cyberattacks during Election Day. One Homeland Security official called it “another Tuesday on the internet,” but conceded there was still cause for concern in the election aftermath.

With the bulk of the votes counted, government officials pointed to the threat of “foreign influence” campaigns — or misinformation — that would try to cast doubt on the election results. In reality, much of the false and misleading claims ended up coming from inside the White House as the Trump administration tried to cling onto power. After being caught out four years ago, the social media giants put into place measures and policies that limited the spread of false news — including Trump’s repeated attempts to claim victory.

Fears that the 2020 election could turn into a national, or even an international security matter did not come to fruition. The U.S. is in a better place than it was four years ago by simply learning the lessons from Russia’s efforts to interfere with the election. Imagine where we could be in another four?

Since you, like us, were glued to the television screens last week, here’s more from the week you might have missed.


THE BIG PICTURE

Grayshift, the maker of phone unlocking tech, raises a Series A round

Grayshift, the secretive startup behind the U.S. government’s favorite phone unlocking technology, has raised $47 million in fresh funding. The Series A round was led by PeakEquity Partners, and — as first reported by Forbes — is a huge round for a little-known phone forensics firm.

One of only a few photos of the mysterious GrayKey phone unlocking devices. Image Credits: Malwarebytes

Grayshift exploded onto the mobile forensics scene in 2018, months after the company began quietly selling its proprietary GrayKey technology to federal agencies for about $15,000 each. The FBI and other agencies use their purchased GrayKey devices to break into encrypted phones without needing the passcode.

Powered by WPeMatico

Decrypted: How Twitter was hacked, GitHub DMCA backfires

One week to the U.S. presidential election and things are getting spicy.

It’s not just the rhetoric — hackers are actively working to disrupt the election, officials have said, and last week they came with a concrete example and an unusually quick pointing of blame.

On Wednesday night, Director of National Intelligence John Ratcliffe blamed Iran for an email operation designed to intimidate voters in Florida into voting for President Trump “or else.” Ratcliffe, who didn’t take any questions from reporters and has been accused of politicizing the typically impartial office, said Iran had used voter registration data — which is largely public in the U.S. — to send emails that looked like they came from the far-right group the Proud Boys. Google security researchers also linked the campaign to Iran, which denied claims of its involvement. It’s estimated about 2,500 emails went through in the end, with the rest getting caught in spam filters.

The announcement was lackluster in detail. But experts like John Hultquist, who heads intelligence analysis at FireEye-owned security firm Mandiant, said the incident is “clearly aimed at undermining voter confidence,” just as the Russians attempted during the 2016 election.

 


THE BIG PICTURE

Twitter was hacked using a fake VPN portal, New York investigation finds

The hackers who broke into Twitter’s network used a fake VPN page to steal the credentials — and two-factor authentication code — of an employee, an investigation by New York’s Department of Financial Affairs found. The state tax division got involved after the hackers then hijacked user accounts using an internal “admin tool” to spread a cryptocurrency scam.

In a report published last week, the department said the hackers called several Twitter employees and used social engineering to trick one employee into entering their username and password on a site that looked like the company’s VPN portal, which most employees use to access the network from home during the pandemic.

Twitter Hack Update: We knew the attackers used the phone & pretended to be IT Support, but now we know the criminals specifically said they were calling about VPN issues, taking advantage of COVID-19 remote work strain. Sadly, these pretexts work often. https://t.co/kKe8XO3MCJ pic.twitter.com/fpE6Afcij1

— Rachel Tobac (@RachelTobac) October 20, 2020

“As the employee entered their credentials into the phishing website, the hackers would simultaneously enter the information into the real Twitter website. This false log-in generated a [two-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did,” wrote the report. Once onto the network using the employee’s VPN credentials, the hackers used that access to investigate how to access the company’s internal tools.

Twitter said in September that its employees would receive hardware security keys, which would make it far more difficult for a repeat phishing attack to be successful.

Open-source YouTube download tool hit by DMCA takedown, but backfires

Powered by WPeMatico

Here’s what’s happening at Disrupt 2020 today

Rise, shine and build your business startup fans. It’s day four of Disrupt 2020, and this is your daily snapshot of just some of the heavy-hitters, events, breakout sessions and all-around opportunity that’s yours for the taking.

Looking for the complete lineup? You’ll find it in the Disrupt agenda. Note: unless otherwise stated, all times are PST. Kicking yourself for not jumping on the opportunity bandwagon? Simply buy a Disrupt pass here, and kick your regrets to the curb.

Buckle up, folks — you’re in for a great day.

Athleisure wear is one of the hottest trends in retail, and it’s certainly a popular work-at-home wardrobe during a pandemic. Head to the Disrupt Stage and join comedian/tech investor Kevin Hart and Fabletics’ Adam Goldenberg for Retail is in the Details. They’ll talk about the company’s future and the type of tech Hart may invest in next (9:05 a.m. – 9:30 a.m.).

Everybody loves robots, but not many people know more about them than Boston Dynamics’ Robert Playter. You’ll find him on the Disrupt Stage talking about the company’s transition from robotics research to commercial production. Don’t miss Putting Robots to Work (10:00 a.m. – 10:20 a.m.)

We trust you haven’t missed a minute of the always-thrilling Startup Battlefield pitch competition. Still, a reminder never hurts. Session four takes place on the Disrupt Stage. Don’t miss watching today’s cohort lay it all on the line for a shot at $100,000 (10:40 a.m. – 11:45 a.m.).

Okay folks this session, Under the Radar, is a big, big deal. Legendary VC and Silicon Valley force of nature, Benchmark’s Peter Fenton joins us on the Disrupt Stage for a rare interview. Topic? The future of startups and venture capital (11:45 a.m. – 12:05 p.m.).

Head to the Extra Crunch Stage for product development tips from current and former product heads at places like Facebook, Zoom, Slack, Hulu and Oculus. Zoom’s Oded Gal, Advisor’s Eugene Wei, Slack’s Tamar Yehoshua and Inspirit’s Julie Zhuo will discuss How to Iterate Your Product (11:50 a.m. – 12:45 p.m.).

Data security is everyone’s concern — from budding startup founders all the way up to the NSA. Don’t miss Spycraft and Cybersecurity and the opportunity to hear Anne Neuberger, head of the NSA’s new Cybersecurity Directorate. She’ll take to the Disrupt Stage and discuss cyber threats, disrupting foreign adversaries and helping you improve your own cybersecurity (1:00 p.m. – 1:20 p.m.).

Whew, that rundown should whet your appetite for the day ahead. Connect, inspire, collaborate and take advantage of all the tips, advice, tools and opportunity Disrupt 2020 offers.

Still standing on the sidelines? You have two full days left to Disrupt and reject regret. Buy a Disrupt pass right now.

Powered by WPeMatico

JupiterOne raises $19M Series A to automate cyber asset management

Asset management might not be the most exciting talking topic, but it’s often an overlooked area of cyber-defenses. By knowing exactly what assets your company has makes it easier to know where the security weak spots are.

That’s the problem JupiterOne is trying to fix.

“We built JupiterOne because we saw a gap in how organizations manage the security and compliance of their cyber assets day to day,” said Erkang Zheng, the company’s founder and chief executive.

The Morrisville, North Carolina-based startup, which spun out from healthcare cloud firm LifeOmic in 2018, helps companies see all of their digital and cloud assets by integrating with dozens of services and tools, including Amazon Web Services, Cloudflare and GitLab, and centralizing the results into a single monitoring tool.

JupiterOne says it makes it easier for companies to spot security issues and maintain compliance, with an aim of helping companies prevent security lapses and data breaches by catching issues early on.

The company already has Reddit, Databricks and Auth0 as customers, and just secured $19 million in its Series A, led by Bain Capital Ventures and with participation from Rain Capital and its parent company LifeOmic.

As part of the deal, Bain partner Enrique Salem will join JupiterOne’s board. “We see a large multi-billion-dollar market opportunity for this technology across mid-market and enterprise customers,” he said. Asset management is slated to be a $8.5 billion market by 2024.

Zheng told TechCrunch the company plans to use the funds to accelerate its engineering efforts and its go-to-market strategy, with new product features to come.

Powered by WPeMatico

Use ‘productive paranoia’ to build cybersecurity culture at your startup

As any startup grows, getting new products out the door and securing that next round of funding are always top priorities.

But security, all too often, falls by the wayside. After all, why would you invest money in something that you hope never happens when you could be funneling cash back into the business?

Fostering a corporate culture that embraces cybersecurity best practices keeps customer data safe and your company’s reputation intact. But security isn’t something you can easily tack on later. It must be ingrained in your company’s culture, and it’s so much easier to start in the early days of your company than scrambling in the aftermath of a data breach.

But how do you get there?

At TechCrunch Early Stage, we asked Casey Ellis, founder, chairman and chief technology officer at Bugcrowd, to share his ideas for how startups can improve their security posture.

Bugcrowd helps companies dip into a huge pool of cybersecurity talent — including hackers and security researchers — to find vulnerabilities. By helping companies identify flaws, they can shore up their defenses before malicious hackers break in. Few know better than Ellis — who’s run Bugcrowd for close to a decade — which policies, procedures and protections companies have put in place to get there.

Extra Crunch subscribers can log in and watch the video below.

Powered by WPeMatico

It’s time to better identify the cost of cybersecurity risks in M&A deals

Rob Gurzeev
Contributor

Rob Gurzeev is CEO and co-founder of CyCognito, a company focused on giving CISOs the advantage over attackers.

Over the past decade, a number of high-profile cybersecurity issues have arisen during mega-M&A deals, heightening concerns among corporate executives.

In 2017, Yahoo disclosed three data breaches during its negotiation to sell its internet business to Verizon [Disclosure: Verizon Media is TechCrunch’s parent company]. As a result of the disclosures, Verizon subsequently reduced its purchase price by $350 million, approximately 7% of the purchase price, with the sellers assuming 50% of any future liability arising from the data breaches.

While the consequences of cyber threats were soundly felt by Yahoo’s shareholders and widely covered in the news, it was an extraordinary event that raised eyebrows among M&A practitioners but did not fundamentally transform standard M&A practices. However, given the high potential cost from cyber threats and the high frequency of incidents, acquirers need to find more comprehensive and expedient methods to address these risks.

Today, as conversations accelerate around cybersecurity matters during an M&A process, corporate executives and M&A professionals will point to improved processes and outsourced services for identifying and preventing security issues. Despite the heightened awareness among financial executives and a greater range of outsourced solutions for addressing cybersecurity threats, acquirers continue to report increasing numbers of cybersecurity incidents at acquired targets, often after the target has already been acquired. Despite this, acquirers continue to focus due diligence activities on finance, legal, sales and operations and typically see cybersecurity as an ancillary area.

While past or potential cyber threats are no longer ignored in the due diligence process, the fact that data breaches are still increasing and can cause negative financial impact that will be felt long after the deal has closed highlights a greater need for acquirers to continue to improve their approach and address cyber threats.

The current lack of focus on cybersecurity issues can be partially attributed to the dynamics of the M&A market. Most middle-market companies (which constitute the nominal majority of M&A transactions) will typically be sold in an auction process where an investment bank is engaged by the seller to maximize value by fostering competitive dynamics between interested bidders. In order to increase competitiveness, bankers will typically drive a deal process forward as quickly as possible. Under tight time constraints, buyers are forced to prioritize their due diligence activities or risk falling behind in a deal process.

A typical deal process for a private company will move as follows:

  • Selling company’s investment bankers contact potential buyers, providing a confidential information memorandum (CIM), which contains summary information on a company’s history, operations and historical and projected financial performance. Potential buyers are typically given three to six weeks to review materials before deciding to move forward. Unless there is a previously known cybersecurity issue, a CIM will typically not address potential or current cybersecurity issues.
  • After the initial review period, indications of interest (IOI) are due from all interested bidders, who will be asked to indicate valuation and deal structure (cash, stock, etc.).
  • After IOIs have been submitted, the investment banker will work with the sellers to select top bidders. Key criteria that are evaluated include valuation, as well as other considerations such as timing, certainty of closing and credibility of buyer to complete the transaction.
  • Bidders selected to move forward are typically given four to six weeks after the IOI date to drill deeper into key diligence issues, review information in the seller’s data room, conduct a management presentation or Q&A with the target’s management and perform site visits. This is the first stage when cybersecurity issues could be most efficiently addressed.
  • Letter of Intent is due, when bidders reaffirm valuation and propose exclusivity periods wherein one bidder is selected on an exclusive basis to complete their due diligence and close the deal.
  • Once an LOI is signed, bidders typically have 30-60 days to complete the negotiation of definitive agreements that will outline in detail all terms of an acquisition. At this stage, acquirers have another opportunity to address cybersecurity issues, often using third-party resources, with the benefit of investing significant expenses with the greater certainty provided by the exclusivity period. The degree to which third party resources are directed toward cybersecurity relative to other priorities varies greatly, but generally speaking, cybersecurity is not a high-priority item.
  • Closing occurs concurrent with signing definitive agreements, or in other cases, closing occurs after signing often due to regulatory approvals. In either case, once a deal is signed and all key terms are determined buyers can no longer unilaterally back out of a deal.

In such a process, acquirers must balance internal resources to thoroughly evaluate a target with moving quickly enough to remain competitive. At the same time, the primary decision makers in an M&A transaction will tend to come from finance, legal, strategy or operating backgrounds and rarely will have meaningful IT or cybersecurity experience. With limited time and little background in cybersecurity, M&A teams tend to focus on more urgent transactional areas of the deal process, including negotiating key business terms, business and market trend analysis, accounting, debt financing and internal approvals. With only 2-3 months to evaluate a transaction before signing, cybersecurity typically only receives a limited amount of focus.

When cybersecurity issues are evaluated, they are heavily reliant on disclosures from the seller regarding past issues and internal controls that are in place. Of course, sellers cannot disclose what they do not know, and most organizations are ignorant of attackers who may already be in their networks or significant vulnerabilities that are unknown to them. Unfortunately, this assessment is a one-way conversation that is reliant on truthful and comprehensive disclosures from sellers, lending new meaning to the phrase caveat emptor. For this reason, it’s no coincidence that a recent poll of IT professionals by Forescout showed that 65% of respondents expressed buyer’s remorse due to cybersecurity issues. Only 36% of those polled felt that they had adequate time to evaluate cybersecurity threats.

While most M&A processes do not typically prioritize cybersecurity, M&A processes will often focus squarely on cybersecurity issues when known issues occur during or prior to an M&A process. In the case of Verizon’s acquisition of Yahoo, the disclosure of three major data breaches led to a significant reduction of purchase price, as well as changes in key terms, including stipulations that the seller would bear half the costs of any future liabilities arising from these data breaches. In April 2019, Verizon and the portion of Yahoo that was not acquired would end up splitting a $117 million settlement for the data breach. In a more recent example, Spirit AeroSystems’ acquisition of Asco has been pending since 2018 with a delayed closing largely due to a ransomware attack on Asco. In June 2019, Asco experienced a ransomware attack that forced temporary factory closures, ultimately causing a 25% purchase price reduction of $150 million from the original $604 million.

In both the case of Spirit and Verizon’s acquisitions, cybersecurity issues were largely addressed through valuation and deal structure, which limits financial losses, but does little to prevent future issues for a buyer, including loss of confidence among customers and investors. Similar to Spirit and Verizon’s acquisitions, acquirers will typically utilize structural elements of a deal to limit the economic losses. Various mechanisms and structures — including representations, warranties, indemnifications and asset purchases — can be utilized to effectively transfer the direct economic liabilities of an identifiable cybersecurity issue. However, they cannot compensate for the greater loss that would occur from reputational risk or loss of important trade secrets.

What the Spirit and Verizon examples demonstrate is that there is quantifiable value associated with cybersecurity risk. Acquirers who do not actively assess their M&A targets are potentially introducing a risk into their transaction without a mitigation. Given a limited timeline and the inherently opaque nature of a target’s cybersecurity issues, acquirers would benefit greatly from outsourced solutions that would require no reliance upon, or input from a target.

The scope of such an assessment ideally uncovers previously unknown deficiencies in the target’s security and exposure of business systems and key assets, including data and company secrets or intellectual property. Without such knowledge, acquirers go into deals partially blinded. Of course, industry best practice is to reduce risk. Adding this measure of cybersecurity assessment is an excellent practice today and likely a mandatory requirement in the future.

Powered by WPeMatico