EPISODE 117
Cyber Risk Management During Company Acquisition

EP 117: Cyber Risk Management During Company Acquisition

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

October 25, 2022

How can Deal Teams and M&A Teams understand and manage cyber risk so they can make better business decisions during the company acquisition process? Let’s find out with our guest, Shay Colson, the Managing Partner at Coastal Cyber Risk Advisors, LLC. Your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 117 of the Cyber Risk Management Podcast?

Kip Boyle: Well, it's great to see you Jake, and we are going to talk about something I think is really interesting, but also something that isn't done enough in the mergers and acquisitions transactions that we see taking place. We're going to talk about how to manage cyber risk within those transactions because what I think people want to do when they buy a company is they want to make the highest quality business decisions that they can during that process. There's so many risks that are present in that transaction and there's a limited time. You've got to really make some tough choices about what you're going to look at. And because cyber has become a material business risk these days, it needs more attention in this process. That's my feeling. And I think that's also the feeling of our guest, Shay Colson, he's the managing partner at Coastal Cyber Risk Advisors LLC. Shay, thanks so much for being here. Welcome. Would you introduce yourself?

Shay Colson: Thanks Kip. Certainly. Thanks Jake, really appreciate the opportunity. So as you said, my name is Shay Colson and I'm the managing partner for cyber diligence at Coastal Cyber. And I come at this problem from the same perspective that you do, which is we have arrived at the transaction because there's a real material business here and cyber has the opportunity to both support its growth or derail it. And if we don't take the opportunity to do that analysis, do that diligence and build that plan, we're going to end up with problems and nobody wants that, but it's a little bit different than a traditional approach. And so that's what our practice focuses on.

Before starting this practice, I was leading the cyber diligence practice at Kroll, which is a large multinational consulting practice and have worked with very large like Fortune 10 and also very small companies all up and down the range. And I think for me it's the most fun when you get to bring together the business side and the cyber side with some people and strategy over the top. And that's, I think, what we're going to have fun talking about today,

Jake Bernstein: I'm very excited because I do a lot of cyber security and privacy due diligence both for buy and sellers and those are obviously, Kip, I don't know if you have a ton of experience doing it buy side versus sell side, but those are two different jobs completely.

Kip Boyle: Yeah, well buy side, we've actually done a little bit of due diligence on the buy side. Mostly what we've been asked to do is when a venture capital company is making an early investment and what they're trying to do is make sure that the tech stack that they're going to invest in is going to scale to meet the goals or they need to know if that tech stack's going to run out of gas before they get where they want to go to. So we look at that and then we also at the same time are looking at cyber security issues, privacy issues, but it's all very small scale, but that's the limit of our experience so far.

Jake Bernstein: Yeah, and my perspective on it is usually more on the representations and warranties that are being made, the disclosures that are made in the disclosure schedules about the reps and warranties and then of course, the due diligence, risk analysis on top underlies all of it and then on deals with and without what's called rep and warranty insurance. And that really dramatically changes the character of a deal if something is being underwritten or not. So frankly, all stuff that I had absolutely no clue about a year and a half ago, but which I have done quite a bit of since joining K&L Gates. So this is going to be interesting. And Shay, why don't you tell us what is cyber due diligence really about and would you say it is or isn't the same as cybersecurity?

Shay Colson: Yeah, I think that's a really good question and I think it's helpful to situate this exercise. So you mentioned that there's reps and warranties and this underwriting piece over the top of it. To Kips point, there's different stages. Is it an early stage venture deal? Is it a lower middle market or middle market private equity acquisition? Now we're going to see, I think what the current market, a lot of public companies do what's called a take private where they go from the public listings to private holdings and do a transaction there that's $2, $4, $6, $8, $10 billion. But this is a very different exercise than you might think of as either a compliance audit, like a SOC 2 or an ISO sort of exercise or even just a risk management approach, whether you're using the NIST Cybersecurity Framework or aiming for the CIS controls because you've got a couple of different things that are constraining and driving the exercise.

So the first is they're almost always time limited. This is two weeks, three weeks, four weeks, maybe you get up to six weeks, but you don't have time to do a comprehensive analysis, you don't have the relationship to do a pen test or some of these more hands on sorts of things. So you're relying on a mix of open source intelligence, what you can gather externally, the documents and what's written down from work that's been done or hasn't been done at the target and then those conversations. And so it's not helpful, actually, to approach it like you would a traditional risk assessment. It's much more helpful to put this commercial lens on it and say, great, what does this business do? How does this business make money? How does their technology support their ability to make money? And that's why we're here.

There's a real business, someone wants to buy it and then ultimately grow it and sell it again. And so how do the various risks from a cyber perspective potentially impact that current state and that growth capability? And then how do you price that into the deal? To your opening point, Kip, about the tech stack and the venture capital approach, is it going to scale or is it going to run out of gas? I think the questions that we often tackle are so what? Right, okay, there's this finding, okay there there's this risk. So what? What does that mean for my business? What would it resolve it? And that's the discussion that we have here. And I think that's why cyber diligence is so difficult is you take a pure technical approach, you're going to miss the mark, you're going to be talking over your target, which is the deal team, and they want it in dollars and cents. They don't want it in frameworks and findings, right?

Jake Bernstein: Yeah. And just on that topic still somewhat introductory is that the relative size and bargaining power of the two different parties in any transaction also dramatically affects the, not just cyber diligence but all diligence, but I think particularly cyber and privacy diligence just because the thing that's different and everyone listening should know by now that I come from the regulatory background of the attorney general's office in Washington State and most of my career really was the typical adverse position litigation type thing. And the thing about deals is that they are... I mean, each side is supposed to be advocating for its clients, but the difference is that instead of a dispute or an investigation, you have a business deal that both sides want to happen. I mean, generally speaking, if they didn't want it to happen, we wouldn't be here spending this money.

And I like it. It's a very different style of approaching all of this. The challenge that, frankly I think all of us are still working out of them, I'm super curious to see how this discussion goes, is nobody wants to be the specialist that kills the deal. That would be a bad thing, right? And I say specialist because there's also employment law that usually is and there's hacks and cyber and privacy is definitely a specialist and IP usually about patents and trademarks and copyrights and stuff like that. But you don't want to be the specialist who kills the deal.

On the other hand, you have to tell your client if you're on the buy side what the risks are and it's a real interesting challenge. So you know mentioned that cyber due diligence should help the deal team understand what the risks could mean to the business and how much it might take to manage those. How do you spin... Let's say that you have, I'll just be honest, most of the time when I'm on buy side, the seller seems to have very little in the way of effective cybersecurity and privacy. And to some degree that's expected because a lot of the time the company being bought is smaller and less sophisticated.

Shay Colson: And they've been growth mode. They've been investing in the business and deferring some of this core cyber infrastructure investment and that got them to where they are, right?

Jake Bernstein: Yep, it did. So how do you approach that with the deal team, Shay, and what do you say to them, even if the cyber risk manager in you wants to pull the fire alarm and run screaming from the building, that's the mission. So yeah, I'm curious how do you deal that?

Shay Colson: I appreciate your framing that you don't want to be the expert who kills the deal. And let's be very clear, I don't want to kill the deal and actually, I've never killed the deal and I've had some crazy things happen during a diligence window and it still didn't kill the deal. I had one where one company was buying another, they had partnered before and decided that they wanted to acquire them and vertically integrate. Well, the target, the company that was being acquired, had a ransomware incident during the diligence period. And not only that, but the ransomware jumped from their shared ERP system over to the other. And the proof of life that the threat actors put on the internet was actually the insurance policy of the acquirer, not the target. And that's how bad it was.

Jake Bernstein: Oh no. That's epic.

Shay Colson: We still did the deal because it made sense for the business and just like any of these risks, we're going to manage them down to an acceptable level, whatever that means for us and for our position in the business and our growth goals and then we're going to move forward. And so I think that's how you have to frame it and that's why it's important to center this and focus it through the lens of the deal thesis, right?

Jake Bernstein: It is.

Shay Colson: What are you, as the buyer, going to do with this business once you get it and how does cyber support that?

Jake Bernstein: Yeah, and you just reminded me of another, I think, really important kind of complication to this that's different than cyber risk analysis for just on a one off with a single client is that the intention of the acquirer with respect to the purchase company really makes a big difference. If you're going to absorb it fully and you're going to, again, it gets so complicated because it depends so much on what the company is, but let's just say that it's amenable to being absorbed into your own tech stack and your own security systems, then it's almost, but not quite, fair to say that the target, that's usually what we call the company being acquired, it almost doesn't matter what the target cybersecurity stance is because it's going to be erased as soon as the deal is over.

On the other hand, just as often you see where a company is going to be acquired and then it's going to run itself particularly if it's private equity. Private equity, that's not their business. They don't absorb companies. They buy them and they let them run themselves. And so that's a totally different situation. If your client is a private equity firm is the buyer, you have to approach that very differently than if your client is a tech company that's just going to absorb. They're fundamentally different.

Shay Colson: And I think this is a really good point in terms of centering the goal of the exercise here. If it's just a controlling investment, like a PE fund is going to come in and acquire it and they're going to run it, it is really helpful to understand what sort of investments are going to need to be made to be resilient during what they call the hold period, the length of time they're going to own this asset before ultimately they'll sell it again.

And I think those conversations are very different, but they're super interesting, which is, look, we have to put some controls in place because if we have an incident, the risk is not, oh, we're going to have to pay a ransom or the risk is not, we're going to lose some files. The risk is you're going to have a quarter or two quarters or three quarters of distraction from your growth goals while your executive leadership team and your technical folks put out this fire and get back up to speed. And when you only hold it for three years, you can't lose two quarters or three quarters and try and make your deal thesis work.

Jake Bernstein: No, that's such a good point. And the other thing too, I think that scenario, that PE short-term investment is probably the closest to standard cybersecurity risk assessment that you get in the M&A space because it's essentially, I mean that's almost what you're doing is the investor is bringing you on to the deal to say what's the current status of this target cyber security program and privacy program and then on those, I tend to focus more on remediation plans.

Shay Colson: What's it going to take to get it where we want it to be?

Jake Bernstein: Yeah, exactly.

Shay Colson: But then there's this whole other world, which is you've got one operating company acquiring a bolt-on or an add-on or a competitor or a partner or whatever. And this becomes a much different exercise because really you first have to baseline the acquirer, figure out not only your tech stack is, but your tooling, your people, your policies and understand where you are strong, where you are weak and where you're trying to go strategically. And then use that to evaluate both the objective risk in a target and then also this integration risk. If you're an m365 shop and they're Google workspace and they're of any size, you've got a huge migration challenge ahead of you. If they've got different endpoint tools and if they've got different firewalls or different sims or different whatever, you've got to account for that as you look to bring these two together because those are the things that are going to let the business recognize that synergy or that value of the reason they're buying the business.

And the last thing you want to do is run two concurrent security programs with two different tool sets and two different license cadences and all that other stuff. So even to the point, and I often encourage people to look at this, is what's the talent on the team that's coming in? Do they have some people that they plug the holes that you don't have? Can you grow those people? Maybe they've got some junior folks that you can invest in because hiring is hard. Look at all of these things and think about that in the deal.

The other thing, and maybe you see this too, Jake, is you don't have a lot of negotiating power from cyber, but you can create some real value. So for example, if they don't have an MFA solution in the target or an EDR solution in the target, but you do and you're going to roll them over as soon as they close the deal, well maybe we negotiate a little hard on some of these gaps they have in their security posture and then once it's closed, roll down the corporate policies and immediately create that value and shore them up. I think it's really a nice opportunity for cyber to finally be a value add and not just a cost center.

Kip Boyle: I love this conversation. One of the things that's going through my head is just rolling back a couple of minutes ago where you guys made the point that you don't want to be the, I think you said the specialist that kills the deal. Is that right, the terminology? Well, no wonder why nobody asks Kip to be involved because people that do the work that I do are just notorious for being considered Dr. No. And we don't hesitate to throw the bullshit flag if that's what we think needs to happen and who needs a negative Nancy like me in there?

Shay Colson: We can't have a department of knowing the deal because the deal is going to charge through... In cyber, even though we love it, we talk about it, there's hundreds of episodes of this podcast about it. It's johnny-come-lately to the deal team. It's johnny-come-lately to the diligence room.

Kip Boyle: Oh, very much so. It may not stay that way.

Shay Colson: 45 minutes with their security team on a call, that might be all that you get. The tax guys are on site for two weeks. The IP attorneys are there for a week.

Jake Bernstein: I will say, Shay, that it is starting to change. I mean, like I said, I'd done two done deals and I was kind of everything lawyer because I was at a small firm and it was a small client and they were small deals. But then I think I've probably been on 30 plus deals in a year and four months, probably more than that honestly, as a specialist. And I've really seen things change. It used to be that it used that all of the cybersecurity and privacy reps got lumped into the IP section of the representation.

Shay Colson: Yeah, five questions at the end of the phone call.

Jake Bernstein: Yeah. Or it was almost nothing in the various things. Now, almost universally, cyber and privacy, they get their own section of the whatever the purchase agreement is, they get their own section in the diligence questionnaire. I mean, they really are becoming, I think, more as important as they should be. That's good.

Kip Boyle: Yeah. It's johnny-come-lately simply because the people that are deciding what the priorities are, are still learning about its materiality and importance. Wouldn't say so, Shay?

Shay Colson: I would. And you know what I've noticed is investors who have suffered the pain of a ransomware incident somewhere in their portfolio suddenly are a lot more interested in doing cyber diligence on their investments moving forward. Have you seen that, Jake?

Kip Boyle: And that's what I see in my work in general. Yeah.

Jake Bernstein: Yep. And Shay, I'm not going to belabor it cause we actually did an episode to some degree talking about the FTCs at this point, relatively recent consent order with the cafe press and it was a good example of how cyber diligence can come back to bite you. In that case, 18 months after the deal closed, the FTC comes knocking and that investigation and settlement impacted both the purchaser and the seller of that particular deal and it's pretty fascinating honestly.

Shay Colson: Well, I think that's the other thing that is interesting about the next evolution of cyber due diligence is to not just stop when the deal closes. And I, particularly with my PE clients, really try and instill this, which is actually the start of the next diligence cycle. So we just did this work, we baselined them. We have a three day, three week, three month plan, a hundred day plan, whatever, but our goal now is to document all the work that we're doing, put this story together so that when you go to the table the next time on the sale side and you bring in somebody else like me who's probably not as nice as me, your story is strong, you've documented this value and you can support your target valuation. And I think that story piece, that meaning-making around cyber is why this is such an interesting space is because it's not just controls or frameworks or configurations. Now it's about the business and it's about the growth. And I think cyber is finally ready to play at that level.

Kip Boyle: Yeah, that's great. By the way, the episode that Jake just mentioned, that's episode 109. I'll put a link to that in the show notes in case anybody would like to go back to that episode. Shay, the other thing that's running through my brain right now is the Verizon acquisition of Yahoo. And what happened there when they discovered all of these shenanigans in the cyber security closet and if I remember correctly, that resulted in, among other things, a decrease in the acquisition cost to the tune of like $350 million.

Shay Colson: Well, I think it was closer to a billion.

Kip Boyle: Okay, a billion, good. Okay.

Shay Colson: This is a common example and it's a common one because they're big companies and it's a big number, but I don't actually find it to be that useful in talking about what this means for investors because that's not the typical course and you're also not going to be able to do the type of analysis that you'd have to do to discover that sort of a situation in your typical diligence window. And now, and Jake, you probably see this, deals are competitive. It's wait, wait, wait, okay, now go. We've got to make our offer in five days. We're not going to those that kind of ground in five days.

Jake Bernstein: I know. It's funny. That's another version. I mean, that's the thing about M&A is that there are so many variations of it. The auction process itself, I mean, that's one where it's almost a race to the bottom on the buy side. It's weird, right? I mean, it obviously really depends, but there are times when a valuable target can essentially render its, in some cases, pathetic cyber practices irrelevant if it's valuable enough otherwise.

Shay Colson: Take it or leave it, right?

Jake Bernstein: And it's frustrating as the specialist because you're like, but, but and they're like, doesn't matter. You're like, fine, I told you. And really, at that point, it becomes a somewhat of a cynical CYA exercise of I'll put this in my report and it's there and I told you so if it ever it matters.

Shay Colson: Yeah. But it's funny, in those situations, you just have to do the best you can with quantifying the risk for the deal team and saying, okay, I see that they've got RDP exposed to the internet. They don't know what that means, but you can tell them why that might pose this risk. Or they've got public facing vulnerabilities that are on CIS's list of active exploitations in the wild. You can help them understand that they use this system to generate all that revenue that you're interested in acquiring. And if it goes down, that tap turns off and that's why we need to address it. But sometimes that case still falls flat or it lands on deaf ears. And I think, you just do your best to quantify what that risk would mean to the business and if they want to move forward, they're going to move forward, but at least you did your part.

Kip Boyle: Yep. So Shay, so listening to the conversation we've been having so far, it sounds like that cyber due diligence should remain focused on the target only. Is that what you do? Is that what you see?

Shay Colson: Well, if it's just a controlling investment, if the PE fund is just going to buy the company and let it run on its own, maybe change the management and do some things to help the growth, then yeah, you can stay focused on that target. But if there are integration pieces or if it's a bolt-on, then you absolutely need to figure out where you are from the parent company or the acquiring company and close those gaps to the target. The other thing that's going to be really interesting, and Jake, I'd be curious on your thoughts here with the SEC's new proposed cyber rule, is these larger private equity backed firms that their next step is to go public. And so now we're thinking about how would we comply with some of those things around board level governance, disclosure within four days on a Form 8-K, all those other things that the SEC is kind of testing the waters with.

Now the final rule's not out, so we don't know where that bar will be, but if we look at that or if we look at the New York DFS proposed amendments to their cyber rule, we can see where it's headed. And then you want to start to aim towards that because it's not a six week project to do that. It's a six month, 12 month, 18 month project to take an IPO size company to that level of maturity. And you can start that story. So that's the other common pitfall, Kip, and I appreciate you raising it, is just looking at the target and saying, okay, we got that part done. Well, maybe, maybe that's enough, but generally it's not.

Jake Bernstein: No. And those are all excellent points. And I do think that all of this that we're talking about, it isn't even as important as it will be in the not too distant future if any of these rules come to full fruition. It's really quite interesting to see the evolution of this. And I think that in terms of looking at the target versus the buyer, it really depends because you can have buyers who have the money to purchase, but they don't even necessarily have their own security people. Sometimes they do, sometimes they have very sophisticated in-house security teams. Sometimes the buyer is one of the big tech companies, but a lot of the times, it's not. And I think it just really comes down to what they ask as well. I mean, I think no M&A deal is exactly like any other M&A deal, even though it seems like maybe that would be the case, it's just not.

Shay Colson: That's because the businesses are never the same.

Jake Bernstein: And that's really what it comes down to is that what makes this... This is the ultimate expression of Kip's favorite phrase, which is cyber risk is another form of business risk.

Shay Colson: Absolutely.

Jake Bernstein: And that is never more true than in the context of a deal team with M&A.

Kip Boyle: And I love this conversation because I think, Shay, you're doing a great job of not only affirming that saying, but also telling us the implications of that. So what you're saying here is, yeah, it's just another business risk, which means that it needs to be set alongside of all the other ones and prioritized with all the other ones. And there's limited money available to mitigate risk down to an acceptable level. And it's not a given that cyber is going to be the risk that's going to get most of the resources or any resources at all. There's so many different ways to deal with this and I really like that. I think it's a great reflection of the maturation of the way business leaders think about cyber. I think it's a very good thing overall. And this is a wonderful point that's coming up at our conversation.

Jake Bernstein: I'm curious, Shay, if you guys also get involved in, to the extent it's different, which it's becoming more and more different is the privacy diligence. I mean, everyone, I think, has a sense that privacy and cyber are linked, that, at least in my world, that phrase it's almost always privacy and security, cyber security and privacy, data privacy and security, data security and privacy. I mean, there's so many variations of it.

Kip Boyle: That drives me crazy.

Jake Bernstein: I know it does. And Kip that it really used to drive me crazy as well. I've gotten over it because it's just they're linked, even though they're different and practitioners, particularly cyber practitioners get irritated by it, they're connected.

Kip Boyle: It's just where it's going.

Jake Bernstein: It's just where it's going. Yeah, it is.

Kip Boyle: It's just where it's going. It's just like we can't get mad that we have to say cyber anymore. Sorry, we lost that war.

Jake Bernstein: Yeah, it's true. But I'm just curious because obviously as a lawyer it's easier to focus on the privacy as opposed to the cyber security component. And I'm curious from your perspective, if you look at privacy, do your clients ask you to, how does that play into your typical engagement?

Shay Colson: So here's what I would say. I think of them as close cousins, but certainly distinct practices. And I still think privacy is better served from an attorney looking at it from that regulatory compliance perspective rather than a practitioner. Now the cyber piece is, look, if you don't have inventory, if you couldn't complete a data map, there's no way you're going to be compliant with CCPA or GDPR or whatever. So you've got to have these cyber chops in place to support the privacy requirements of your business. And that's the piece where there's this intersection.

But given both the shifting landscape and the real regulatory driver for privacy, I think the attorneys are better served there. And frankly, from a go-to-market perspective for us, working with the privacy team as outside counsel and not stepping on their toes and just supporting from a cyber perspective is a lot less threatening and lets them have a say and a domain where they can really add value. As soon as you start to commingle them, you've got to do all that kind of interpersonal management, as well as the actual subject matter. And Jake, you live this, it's tricky to tell lawyers what to do.

Kip Boyle: You can tell them all day long, but they never listen.

Jake Bernstein: Well. And I've decided an-

Shay Colson: Send them an email and CC somebody, they will.

Jake Bernstein: And I've already decided by now that I like Shay, but there's another area, there's another field of law, environmental law, particularly environmental litigation where there is a constant tension interplay between the lawyers and the consultants in that field. It's very, very similar. It's a very technical field. And what you end up having is you've got a lot of consultants with geological engineering, hydro, whatever, degrees scientists who probably cross the line into practicing law, giving legal advice. And then vice versa, you've got lawyers who start to think of themselves as scientists. And the same thing happens or is happening or will happen in this cyber privacy space, particularly people like me who go out and get a CISSP after being a lawyer for a decade.

But I think there is always room in this space for true, true deep diving specialists. And I think you're right that privacy feels more legal even though there's a lot of non-lawyer "privacy professionals" out there. And I think that I appreciate the attempt to identify the lane. I think you're right. I agree with you completely is that cyber is generally more technical than privacy. What's funny though, and something we haven't really talked about that can be difficult to get across to the deal team is that take tax, right? Tax is literally dollars and cents. Either we've paid too little or we've paid too much. All of the risk in tax comes out as a number. And I think the difficult part of cyber due diligence is you can't necessarily quantify in dollars and cents every cyber risk, right? I can tell you the average cost of a data breach, but what I can't tell you is how is a data breach in your specific business context going to hurt you in the short or long-term? That's what's very challenging.

You have to walk this very fine line of being a business risk, but without trying to elevate. We, as cyber professionals want to elevate it a little bit. And there's reasons for us to do so, but if you do it, you run the risk of getting ignored as a negative Nancy or Chicken Little. Exactly. And so it's very, very tricky. And I'm curious if you have any thoughts on that specific issue of you might not have a specific dollars and cents technical review, but you might want to tell the buyer, look, think of the business you're in. For example, you're in the trust business. If you buy this company and they cause a breach, you're far more hosed than just if you paid the wrong taxes.

Shay Colson: Yeah, no, I think there's a couple of ways to do this. One is to put the dollars and cents on the remediation side, and this is what I try and do with the top three risks that make it to the one slide that the deal team sees. And that's both a rough time and cost estimate to do. But you don't have EDR, you don't have an MFA solution and you've got 5,000 endpoints, or you've got 3,000 employees or whatever. Well, we can roughly scope what it would take, how long it would take to roll that out and give them that sense. You don't have a CISO, you need a managed detection and response capability, but we can estimate that, right? And so give them a sense of, look, in the first year you're going to spend some hard dollars, about this much. But then on the other side of that teeter-totter of value is think about what would happen if they were down for an hour, a day, a week if they were down for two weeks and then pieced it back together over two months.

And you don't have to be as specific at that because they can understand that none of that is tenable. And when they're paying 100, 200, 500, a billion, whatever, a $300,000 IT budget for some projects is totally worth it and they have a sense of it. So I think you can just sidestep this challenge of the dollars and cents and say, we're going to look at progress, we're going to do the things we know need to be done, and then in three months we're going to be a different business. And then maybe we do more holistic risk assessment or we know where else we need to go. But that's the focus element here of in the deal what do we do?

Jake Bernstein: And this is a perfect segue into the final question point we wanted to raise with you, which was, does cyber due diligence end when the transaction closes?

Shay Colson: No. And I think this is exactly where you start to jump off on that point, in the sense that you are now building a cybersecurity program for the company that you just bought, and you're going to have to represent that at your next transaction. And so instead of seeing-

Jake Bernstein: That's such a good way of framing this is, I mean, I love this concept that particularly for private equity in the portfolio companies, it's not about this deal. It's about the next one. That is so insightful.

Shay Colson: And I love to frame these not as costs, but these are your initial investments in cyber because you're going to get that back and many times over if you have a robust program that not only is demonstrable and communicable to the next investors, but that supports your business as you grow, you get the benefit of MFA, of managed detection and response, of a resilient operation, whatever it is during the whole time you own it and you get that back when you go to sell it because you can say look at all the things we've done. Here's all of our program definitions, policies, procedures, capabilities, whatever. And it's a nice tight defined package that you've spent three years building, you're going to be in a much better place to get that bigger valuation at the next transaction.

Jake Bernstein: Absolutely.

Kip Boyle: Sorry, I wanted to ask a question. It's kind of strange to me, Shay, that you would say that because in a way, going into the purchase, cyber is really at the bottom of the list. It's not really elevated as big of a material risk as we think it is. But then so why on the other side, when you're ready to sell it, would it be seen as a really valuable thing? That seems disproportionate on the going in versus the coming out.

Shay Colson: There's a couple things that I think amplify it. One is we're selling it in three years or in five years. Cyber is only going to be more important. We aren't just going to figure out, oh, we just solved cyber, we don't have to worry about that anymore. No, it's going to get more attention.

Jake Bernstein: It does seem unlikely.

Shay Colson: And that's why we all still have jobs. But the other piece is the investment, the importance of cyber is so that your business can keep doing whatever it does as a business. And everything you do now supports that for the whole period. And so to just take it back to your core tenant of cyber risk is a business risk. That's what we're doing here and we're investing to support the business the same way you would invest in in employees or offices or telephones or whatever that infrastructure is that helps you deliver value, cyber can now do the same thing. And actually, if you don't, you aren't even going to make it to the next transaction.

Jake Bernstein: You may not.

Kip Boyle: And so what you're really talking about is the business value of cybersecurity as an ongoing capability. And you're saying people recognize that value today and you believe that the recognition of that value is going to increase over time?

Shay Colson: I think some people recognize that value today. I think it certainly depends on the investor, depends on the acquirer. But I also think that anybody who's had even a close call, a near miss, a cyber scare is going to know, boy, I'm glad that didn't happen. What do I need to do to make it X less likely? Or particularly those who've experienced it somewhere in their investment portfolio, they know how disruptive it is. They know that the soft costs not just the fines or the ransom payment or whatever, but the actual operational stress to the business is not worth undergoing under any circumstances. So how can we manage that down? And I think sadly, that's going to be more and more common. We are not doing a good job collectively to contain ransomware. We're not sharing TTPs and disclosures. Those things are all going to change, but right now it's still every company for themselves. And so you've got to do it and this is where it starts.

Kip Boyle: Okay, got it.

Jake Bernstein: And just as we wrap up here, why don't you mention the hundred day plan. I think that's a common M&A thing that not every other cyber practitioner may have heard about unless they've done M&A deals. And I think it's interesting, a hundred days is not very long, but I'm curious what your perspective is on how do you advise the buyer on the hundred day plan? And what is the hundred day plan?

Shay Colson: Yeah, so the hundred day plan is typically once the deal closes, what's the new ownership going to do in the first a hundred days to really set the business on this new growth trajectory. And typically, it's things like we're going to bring in a CFO, we're going to replace this family run business founder driven business with some professional management that we've worked with before at another company. That's a very common private equity change. But in the cyberspace, this a hundred day plan is where you focus these initial high ROI efforts. And I actually like to break it down into three bullets, one for three days, one for three weeks, one for three months because sometimes there are these three day things where it's like, look, you've got RDP facing the internet, you got to turn that off. You've got single factor on this public facing application, you got to change that, right? Or whatever it is that you got to patch these actively exploited vulnerabilities. That's a three day thing. You need to do that now.

The three week thing is one or two things that we need to get in place, whether it's MFA or something that's just a little bit more resilient. And then the three month thing. And what it does is it gives you crawl, walk, run steps, three bullets. It's not overwhelming, but if you did all of those things, you would be in a much stronger position. And then in a hundred days you have different management, you're probably thinking about expansion, you're fundamentally, and this is the point of the investment, a different business. And then we'll start again at looking at the next steps given where we want to go. But I think it gives practitioners and the business enough time to get something done, but it's not so long that those projects just run out of steam or you get distracted. Projects that take a year are really hard to execute consistently.

Kip Boyle: For sure. And that's good insight on the psychology of the people involved because most cyber security people that I interact with completely discount or are blind entirely to these human factors about getting some of this stuff done. And I'm talking about outside of the context of an acquisition or a merger or whatever. So that's a really standout thing you just said. And I wanted to make sure that I highlighted it for our audience that even outside of the context that we're talking about today, these human factors are so important.

Shay Colson: Oh, it's always important in terms of humans.

Kip Boyle: Yes, it always is. But what I find is that people who come into this career field often are in it because, well, they find people kind of difficult and they'd rather just-

Shay Colson: I work with computers. Well, this is actually a people job. This particular exercise is very much about the people. And I try and write my reports and I'm sure, Jake, you do too. They go to the client that hires us, the investors, the deal team, that's who gets our work product. But I try and write it such that if the target's security team, the people I end up interviewing and poking and prodding or raking over the coals, depending, see the report, their attitude is like, yeah, that that's right. That's true. I'm not trying to blow anybody up or make anybody look bad, but just be honest and accurate about where we are and where we need to go because those are the people who are going to have to do it. You don't switch security teams on day one. You work with what you've got. You move it generally gradually.

Jake Bernstein: Well, not usually at least.

Shay Colson: Unless you're Patreon this week, this morning, apparently.

Jake Bernstein: I didn't see that.

Shay Colson: They fired their whole security team.

Jake Bernstein: This was the very first thing I've done today. So I checked the news, but I'll have to do that.

Kip Boyle: Well, breaking news on the Cyber Risk Management Podcast, even though this is going to come out later.

Jake Bernstein: Apparently, yeah, which won't be breaking by the time this airs.

Kip Boyle: Yes, but enjoy the smell of breaking news right now. We just uncorked it and we don't do that very often. So Shay, this has been a fantastic conversation. Thank you so much. We got to wrap up, but before we do, if there's anybody in the audience that's listening and they would love to reach out and talk with you about these things, how would they do that? Where should they go to find out more about Shay?

Shay Colson: Yep. You can find me most often on LinkedIn and S H A Y C O L S O N, or you can find the company website, coastalcyber.io. Either way is good. LinkedIn has become my default hangout, and I do every Monday morning, a five minute cyber situational awareness video for private equity investors to figure out in the news that we saw over the last week, what does that mean for your portfolio companies, your new investments? And so that's a good place to start and that's all on LinkedIn.

Kip Boyle: Fantastic. Well, that wraps up this episode of the Cyber Risk Management Podcast. What did we do today? Well, we took a look at how deal teams and merger and acquisition teams can understand and manage cyber risk so they can do what? So what? Well, to make better business decisions during the acquisition process. And I'm so happy that Shay Colson was here to help us explore this issue and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.