Vulnerability Management Considerations for Credit Union M&As
The M&A process can bring to light that your CU is more vulnerable to cyberattacks than you were previously aware of.
Given the hundreds of merger and acquisition applications approved each year by the NCUA, M&As remain an appealing strategy for growth. However, in today’s cyberworld, merging with another company also means adopting another company’s network infrastructure, software assets and all the security vulnerabilities that come with it. In fact, consulting firm West Monroe Partners reported that 40% of acquiring businesses discovered a high-risk security problem after an M&A was completed.
A case in point: In the early 2000s, I was part of a team heavily involved during and after the merger of two large financial institutions. We quickly came to the realization that the entities had two completely different approaches to cybersecurity. One had a robust testing program revolving around penetration testing (or pentesting) and leveraged an industry standard framework to benchmark its software security initiative annually. The other did not do as much penetration testing but focused more on architecture and design level reviews as its security benchmarking activity. Trying to unify these divergent approaches quickly brought to the surface myriad vulnerabilities that required immediate remediation. However, the acquired entity didn’t have the business cycle or funding needed for the task, which created a backlog of several hundred thousand issues needing to be addressed. This caused delays in the M&A timing because terms and conditions had to be created. Both parties also had to agree to timelines within which the organizations would address identified vulnerabilities and the approach they would take to prioritize remediation activities accordingly.
During an M&A transaction, the risk of a breach should remain top of mind – particularly for the financial sector. Researchers from the Boston Consulting Group found that cyberattacks hit financial services 300 times more than other sectors in 2018 and few organizations were prepared to respond to an attack. As you consider your growth plans for 2020 and beyond, explore the following considerations and best practices to improve your security posture.
Common M&A Security Problems
Like most organizations, credit unions tend to build custom software to increase operational efficiency. The challenge is that smaller organizations tend to not perform regular security testing as they build software and have fewer (if any) security touchpoints as part of their software development lifecycle. There’s nothing wrong with that; however, challenges could arise after a merger when network and application integration begins because chances are that security assessments will be performed at that time, when some of the most common software and network vulnerabilities are most likely to be identified. According to the OWASP Top 10, a list about the most critical security risks to web applications today, among the most common vulnerabilities, which can be exploited by attackers, are:
- Injection flaws, which can enable data breaches where attackers extract data from databases or enable them to create phishing attacks against the application’s end users.
- Broken authentication, which can allow attackers to view or access data and functionality that they should not have access to.
- Sensitive data exposure, which could lead to personally identifiable information data exposure or account data exposure (e.g., credit card number being breached).
A bigger issue, which should make any organization hesitant about proceeding with an acquisition, is if the acquisition target can’t tell you its cybersecurity “story.” If you discover that your acquisition target handles cybersecurity in a non-systematic, tactical way, raise the red flag. Hackers exploit your weakest link. It doesn’t matter how many security controls are in place, if you have one weak system, hackers will figure out a way to get in and exploit it. A common scenario is where the target initiates a security assessment only upon customer request. This is a clear indication that there is a lack of focus or awareness on the importance of security, and will inevitably lead to weaknesses somewhere in the network, the infrastructure where the software’s hosted, or within the software itself. Not only will you be acquiring that weakness, you’ll also be acquiring the organization’s people, who may not have been exposed to proper security considerations as part of their day-to-day jobs.
Unfortunately, we encounter situations like this frequently. Many smaller credit unions have limited resources and budgets to allocate toward cybersecurity, so cybersecurity plays second hand to other budget considerations designed to generate tangible results like improved operational efficiencies or new revenue streams.
Because credit unions are liable for protecting member identity and assets, executives need complete visibility into true risk exposure during an M&A. Included among the items that are critical to evaluate are:
- The existing controls in place;
- The type of assessments and security scanning techniques used to report to the executive team on the posture of all systems; and
- A proper portfolio view of all assets – when they were last tested, what testing was done, what current open vulnerabilities exist and which have been fixed, and the length of time each was open.
Best Practices to Maintain a Positive Security Posture Throughout an M&A
To be successful in your security efforts, the first and foremost consideration should be establishing a proper focus on governance. Without an organizational charter describing how your credit union defines cybersecurity and how to achieve it, you won’t have a unified way to build more secure software. Executive buy-in and support for such a charter is fundamental to all other security endeavors.
Next, engage in vulnerability testing and remediation activities. During an M&A, software composition analysis is one quick and easy technique for determining the quality of the software that’s being brought into an organization. This examination looks at every program that’s built in-house and determines what open source components are a part of that software, along with related known security vulnerabilities associated with those open source components.
Pentesting is another well understood activity credit unions can leverage. Essentially, pentesting is a simulated cyberattack on a computer system, which is performed to evaluate how secure a system is. Because pentests result in actionable items that can be addressed, executives can see what is easily exploitable and how it can be fixed. To do a deeper dive into the security of an acquisition target, tactics such as code reviews, architecture analysis and a red team engagement should be performed before finalizing any acquisition.
Lastly, credit unions need to make sure that they’re educating their staff. You can put in as much automation and administrative security controls as you want, but if your people aren’t aware of the security implications of their actions and decisions, all other controls become irrelevant.
A Final Word
If a governance charter, vulnerability testing and remediation, and employee training are not currently critical components of your M&A plan, you may need to revisit your strategy. The M&A process has the potential to bring to light that your organization is more vulnerable to cyberattacks than you were previously aware of. A good first step? Identify the biggest vulnerabilities in both parties.
Nabil Hannan is Managing Director of Advisory Services at NetSPI, an enterprise security testing and vulnerability management firm in Minneapolis, Minn.