IVCA Feature: Highlights of ‘Uncovering & Addressing Cyber Risks (with Limited Time & Resources)’

March 28, 2018

The third IVCA event of the year was a luncheon, and the topic piqued the interest of everyone who attended. 
Any business can come close to foolproof cyber security but the cost may be the ability to efficiently and effectively managing business processes. .  Since cyber insurance does not cover an incident that occurred because of “human error” or process flaws, getting the balance correct is paramount to every entity.  The question of how to balance the costs in terms of process, dollars and human compliance with business risks was the topline discussion The speakers, both from Plante Moran, were: 
  • Timothy Bowling
  • Joe Oleksak 
  • The State of Cybersecurity
  • What Does a Cyber Attack Look Like
  • What does this Mean to a Transaction
  • So What should we do? (Framework)
The presentation dealt with four topics of interest...
Oleksak began with some simple facts... there is a One-in-Four chance that an individual will experience a data breach. 61% of those breaches occur in small organizations of 1000 people or less, and 58% of those small organizations believe they are not a target. The types of valuable data that the “dark web” can mine are Personal Data (email, billing addresses), Competitive Data (customer listings, pricing data), Assets (intellectual property, design documents) and Privacy (ePHI/HIPAA, cardholder data). As a connection to the PE/VC community, he pointed out that if security is not addressed in these areas, the potential companies that are purchased may end up costing lot more more. 
Oleksak continued with the fact that 60% of small companies go out of business within six months of a cyber attack. Yet only 14% believe that they are ready to effectively handle hackers, only 25% have Cybersecurity insurance and only 49% are allocating any budget to risk mitigation. Most companies have an IT budget, and wrongly assume that it covers security. In Olesak’s view, he feels that IT and security butt heads... IT is there to enable and grant access, security is there to be disabler and to limit access. So by giving IT full responsibility for security, chances are you have less security. 
Oleksak talked about the costs. The average cost of a data breach is over $879,000 dollars, and it takes an average of over $955,000 dollars to restore normal business. Why does it cost so much? The length of time to discover a breach has gone up considerably in the last three years, up to 92 days. The point is that it’s more difficult to currently even identify a breach, because controls for detecting them are generally not in place, and money is not allocated towards those controls. When the breach stretches to over 90 days, the costs to restore exponentially rise. WHAT DOES A CYBER ATTACK LOOK LIKE? Oleksak demonstrated how easy a hack can take place through a demonstration video. So many emails simply can be hacked, and systems can be breached, by a user clicking an email attachment, which allows a “reverse shell” on the hacker’s end (an image of your computer). From that a hacker can breach a whole system, including your network... all the computers and all the files on them. This runs in the memory of the computer, so anti-virus software is ineffective, because it looks for specific files. 
He pointed out that Microsoft does have a patch to prevent the reverse shell. Regarding what IT can do, patch management is an important check and balance system.
WHAT DOES THIS MEAN TO A TRANSACTION? Timothy Bowling took on this category. The first question he perceived the investor audience to be asking was “why should I care?” Well, first he simply pointed out a public perception in a business, which can result in loss of suppliers, operation and sales, as well as regulatory sanctions/fines and the dreaded lawsuit. For a potential buyer of the business, this can all be considered. 
Bowling then expressed the two most commonly seen attacks... the aforementioned email spoof and the familiar phishing (clicking a link directly injects a malware engine). One of the more common email spoofs is, for example, a fake CEO email informs a CFO that a million dollars needs to be wired to a supplier. The CFO takes care of it, and then finds the CEO had no knowledge of the request. That’s a wire fraud, and it’s not covered by cyber insurance, because it’s not an official breach. Phishing was illustrated in the reverse shell example above, where malware, ransomware and other breaches can be directly injected into a network’s memory. 
Bowling then pointed out four examples of difficulties in different industries. In manufacturing, if a sophisticated system connections between accounts, supplies, etc. is breached, it’s a major disruption that can literally stop production. In healthcare, it’s about information mining, records contain sensitive data, social security numbers and physician/patient confidentialities. One a breach occurs in this situation, the healthcare company has to reveal this information to their clients, not a good trust issue. 
The third example was a “consumer facing” problem. In the use of social media and other websites, similar passwords are used and can be found and used to hack other products and services. For example, a LinkIn breach caused a PayPal breach. Finally in a financial services example, tax records were exposed and wasn’t detected for months, increasing the exposure and limiting trust for the customers and clients. 
Bowling then rolled out potential investment effects. Beside obvious loss of capital, poor cybersecurity uncovered during due diligence can negatively affect a transaction that is under way, with only a limited horizon for a corrective action before an exit. And if the breach is large enough, it can have a detrimental affect on valuations. 
The final point was to have “cyber diligence,’ both on the buy and sell sides. This includes identifying vulnerabilities to fend off a material adverse effect and make sure there is high confidence in reps and warranties to lessen the likelihood of post closing events. Also understand the exposure when evaluating valuations, consider how IT can affect operations/risk of downtime and evaluate the cost of implementing strong cybersecurity if necessary as a protective measure. 
Joe Oleksak came back for this part of the presentation, to point out questions to be asked within your organizations and the businesses you may buy. The different categories of businesses, like the examples above (manufacturing, healthcare, etc.) have different needs for cybersecurity. In manufacturing, for example, the commonly used security standards include the NIST Small Business, the CIS Top 20 (major check bullet points), the ISO 2700x Series, COBIT and more. 
Oleksak then outlined seven things to look for and ask yourself regarding cybersecurity internally, and when evaluating investments (which can be handled contractually). 
  1. Data Asset Inventory and Corresponding Risks. It’s basically knowing what you have and where those key assets reside (electronic vs. hard copy), how those assets are accessed and who accesses them. Then it becomes about identifying potential risk, residual risks (gaps in systems) and the implemented controls. 
  2. Control Design. Is security an IT issue, or a business issue? Who is responsible for it? How is it incorporated into the culture of the company? Is the security strategically considers, and are the network and systems designed around data protection (versus an “ease of access). 
  3. Cybersecurity Monitoring. Do you monitor all layers of the network, including Firewall, DMZ, Internal Network, Critical vLans and critical systems/applications/databases? Is it proactive or reactive? Are there logs being kept, and who reports to whom? 
  4. Architecture. Still using outdated equipment or software? Are you using easy-to-hack home grade equipment like wireless routers? Are you practicing proper patch management? And who manages and how do the manage equipment through a lifecycle? 
  5. Access. Do you have a controlled process for granting, changing and revoking access, both logically and physically? What is the privilege of access, in the realm of network, sharing and applications. What are the use qualities and quantities of admins (local or domain)? And how often is the access reviewed? 
  6. Recovery. Do adequate controls exist for back up and recovery, for both workstations and servers? Have they been tested? Is there a disaster recovery plan in place (with legal and marketing/PR involvement?), and has it been tested and trained for? And is there continuity in this testing and training? And since accountants are audited, is IT also audited? 
  7. At a Minimum, Continuous Assessment and Remediation. What processes are in place to evaluate risk? Is it internally or independently performed? How are investment assets – people, process and technologies – assessed differently? The hacks occur with the places of least resistance. The harder it is to get in, the most likely a hacker will move on.
The presentation concluded with the international General Date Protection Regulation (GDPR), which should be known for overseas relationships. To sum up, the controls you have implemented today won’t necessarily address the risks of tomorrow.
The next IVCA Event will be a Breakfast on Tuesday, April 3rd, 2018... “Deal Structure & Other Advanced Tax Considerations Under 2018 Tax Law.” Click here for more details and to register.