Key Points
- In 2023, mergers and acquisitions (M&A) deals reached an impressive $2.5 trillion globally, making them an attractive target for cyber threat actors looking to exploit companies at their most vulnerable.
- Discussions on cybercriminal forums reveal interest in monetizing M&A insider information for profit, as well as using it for insider trading and blackmail.
- Interestingly, only half of the M&A security incidents we analyzed involved malicious activity. The rest were linked to challenges like policy and compliance issues, difficulties in baselining internal tools, and integration-induced investigation delays. Although not malicious, these issues can still pose serious problems for organizations.
Totaling an impressive $2.5 trillion worldwide in 2023, mergers and acquisitions (M&A) deals are a tantalizing target for cyber threat actors eager to exploit companies when they’re most vulnerable. One private equity CISO reported a 400% increase in phishing attempts on acquired companies post-M&A deal announcements.
As enterprises navigate the intricate maze of legal and financial negotiations involved in merging two distinct entities, cybersecurity often takes a backseat:
- Deals are conducted behind closed doors, giving senior security staff little time to manage the complexities of the transition.
- Job security anxiety in a newly acquired company can erode morale and performance, compromising security posture.
- Post-acquisition, as companies integrate new tools and train staff, compliance issues and logging gaps frequently arise.
Together, these factors magnify any existing vulnerabilities, transforming manageable risks into significant threats during the M&A period. In this report, we take a deep dive into five critical M&A cyber threats we’ve recently helped our customers navigate:
- Policy and compliance issues
- Managing legacy risks
- Deficiencies in logging visibility
- Integrating disparate software ecosystems
- Unifying response strategies
By exploring dominant trends and real-life case studies, we’ll shine a light on the cyber hazards associated with M&As. We’ll also provide actionable recommendations so you can proactively defend against these heightened risks and ensure a more secure and successful integration. With M&A activity projected to rise by 10% in 2025, now’s the time to harden your cybersecurity defenses.
Dark Web Dialogues Prove Adversaries’ M&A Interest
Cybercriminal forum content indicates that threat actors deliberately target companies engaged in M&A processes. They’re likely abusing perceived security weaknesses while staff are preoccupied with merger logistics, which increases the chance of a successful compromise and allows them to remain undetected on networks for longer.
Turning Insider Knowledge into Competitive Power
On the Russian-language forum XSS, a lengthy post discussed the value of insider information for competitive intelligence, particularly “competitors’ long-term goals, their expansion plans, mergers and acquisitions, and new market initiatives” (translated from Russian). The post implicitly recommended monetizing insider information about M&A deals, which would allow rival companies to “gain insight into the strategic vision and development directions of their competitors.”
Stolen M&A Details: From Theft to Profit
In another post, a user claimed to have exclusive intelligence about an unnamed company’s M&A details, asking: “How can this information be monetized?” Responses suggested exploiting the information for insider trading, with one forum member comparing the potential profits to those from ransomware. Another user recommended blackmail.
No Sector Is Safe from M&A Data Leaks
Data leaks from firms in the M&A process regularly feature on the English-language forum BreachForums, highlighting companies’ particular fragility during this transitional period. One data-leak post involved a US retailer that was recently acquired by another, sharing dates of birth, email addresses, credit card data, and IP addresses for free (see Figure 1). Another post advertised the sale of client and employee credentials and email information from a Japanese construction company involved in M&A activity. Such forum listings emphasize that the M&A threat can touch any sector or geography.
Exploring the Patterns in M&A Incidents
Manufacturing Most at Risk
Our analysis of customer data from 2024 found the manufacturing sector faced the most M&A-related issues, accounting for 42% of customer M&A incidents. This likely relates to the sector’s reliance on legacy systems and operational technologies, which complicate updates and incident response and are only magnified during M&A.
By contrast, the finance and insurance; professional, scientific, and technical services (PSTS); and retail trade sectors accounted for 8% each. It’s realistically possible that this stems from stringent regulatory compliance requirements or because technology integrations for these sectors are less complex than for manufacturing.
Why Inherited Assets Are the Biggest Danger
Beyond obvious malicious activities, integrating assets and personnel from acquired companies can also create cyber challenges. Around 50% of customer incidents that occurred during M&A involved policy violations or other non-malicious activities.
- 17% of cases involved integration-induced investigation delays
- 17% featured policy and compliance challenges
- 17% entailed issues baselining internal tools
These issues arise when users from acquired companies stick to old practices or use tools that are no longer permitted, either due to unfamiliarity with the new environment or reluctance to adapt. Given the prevalence of these issues, companies undergoing M&A must be as vigilant about internal workforce dynamics as they are about external threats.
Next, we’ll examine five key cyber challenges encountered by our customers during their M&A processes, providing insights into the difficulties faced and the strategies used to mitigate them.
Out with the Old: Adapting to New Compliance Standards
Policies and procedures are the bedrock for proper technology use in an organization, covering asset management, security protocols, employee expectations, Wi-Fi, and more. However, staff from acquired companies often stick to their previous practices and protocols despite comprehensive training on new policies. Old habits die hard, and these habits tend to persist long after the acquisition process has come to an end.
Employees who inadvertently ignore IT policies can generate considerable noise for security teams, triggering alerts whenever their actions seem suspicious or breach established protocols. These incidents can’t be resolved by simply adjusting detection rules, as actions like creating unusual email forwarding rules can resemble malicious behavior.
Repeated policy violations divert critical resources from what’s really important, as they necessitate additional training and management efforts. This heightens the risk of successful attacks, which can have profound impacts like financial losses, erosion of stakeholder confidence, and long-lasting damage to the company’s reputation.
In July 2024, we responded to a post-acquisition incident affecting an industrial sector customer. An employee created an email forwarding rule to an external domain, triggering an alert looking for indicators of data exfiltration. Our investigation revealed the rule was forwarding emails to the employee’s old email account from the acquired company, indicating a violation of company IT policies. To remediate the incident, the customer removed the forwarding rule following our recommendations.
This case highlights the challenge of integrating new employees into existing systems while ensuring adherence to IT policies. While not malicious, this alert required resources for resolution and training to prevent reoccurrence. Proactive onboarding and education, as well as ensuring employees stop using their old email accounts, helps prevent newly onboarded staff from missing critical information and alleviates resource strain during M&A.
Recommendations
- Provide training on new equipment, software changes, and email account protocols. This helps newly onboarded employees integrate into their new IT environment and adhere to established rules, reducing policy violations.
- Enable the following detection rules in ReliaQuest’s GreyMatter platform to identify email policy violations and spotlight problematic areas, enabling tailored corrective training and policy adjustments:
- Email Forwarding Rule to External Domain
- Malicious Email Outlook Rule Created via API/Portal
- Suspicious Email Outlook Rule Created via Outlook Client
- Suspicious Email Outlook Rule Created via API/Portal
- Set up Automated Response Playbooks in GreyMatter to swiftly terminate the sessions of users creating suspicious email rules by:
- Disabling the user
- Resetting the password
- Terminating sessions
Security teams should weigh practicality when deciding which responses to automate. Automatically disabling accounts for users with suspicious email forwarding rules could inadvertently lock out multiple workers if this practice is widespread, impacting business operations. Conversely, it could discourage users from forwarding emails to old addresses and reinforce adherence to new policies.
Managing Threats from Inherited Assets
Previously beyond the control of the acquiring entity, inherited assets introduce issues ranging from default passwords on servers to the lurking presence of dormant nation-state actors hiding within the network. These sophisticated adversaries could launch an attack at any time, undermining recommended security practices like timely software updates and leaving the organization highly vulnerable to security incidents.
Inconsistent asset management further exacerbates the risk. Varying standards across companies can result in overlooked or inactive assets lacking proper logging and monitoring, leading to hidden vulnerabilities within the network.
Conducting thorough security assessments on numerous incoming devices can be daunting, especially with tight deadlines and the danger of impacting business if new devices are not onboarded quickly. However, skipping these assessments can have dire consequences and negate all other efforts to maintain secure networks.
In September 2022, we addressed a transportation customer incident in which a ransomware signature was detected on an endpoint from a newly acquired company. An alert was triggered by a file containing a ransomware signature, which was deleted before execution. We helped the customer assess the full scope of the incident, identify abnormal processes linked to the malware, and re-image the affected machine.
This case exemplifies the challenge of inheriting malware from endpoints acquired during M&A. While it’s difficult to guarantee all inherited devices are uncompromised, thorough auditing can minimize unexpected threats. In this instance, effective alerting successfully mitigated the ransomware threat, safeguarding the customer’s network.
Recommendations
- Conduct a pre-due-diligence cybersecurity assessment to identify and quantify potential cyber vulnerabilities and compliance gaps before finalizing deals. This proactive approach helps assess potential risks early, ensuring informed decision-making and reducing the likelihood of inheriting liabilities.
- Use an effective digital risk protection (DRP) solution like ReliaQuest’s GreyMatter Digital Risk Protection (GreyMatter DRP), whose clear, deep, and dark web monitoring identifies potential threats from acquired entities like leaked credentials and API keys. Proactive monitoring helps organizations address security issues early, significantly reducing the risk of successful cyber attacks and ensuring a smoother, more secure integration during M&A.
- Utilize network segmentation to isolate inherited assets, preventing threats from spreading across the network. This containment limits damage during security incidents to give companies crucial breathing room during the delicate onboarding phase for inherited devices.
Illuminating the Blind Spots in Logging Visibility
Logging is critical for maintaining oversight and rapidly identifying security incidents within a network. Logs detail when and where events occur, the origins and users involved, actions taken, and their outcomes. During M&A, integrating disparate IT environments often creates significant logging visibility gaps, which featured in 17% of customers’ M&A-related incidents in our dataset.
Even outside of M&A, achieving a complete asset inventory is challenging. Issues can arise from contractors working outside typical security protocols or remote employees bypassing standard firewall rules. An effective asset inventory encompasses all connected devices and software within your environment, including hardware like laptops and servers, as well as owned or cloud-based software tools. Visibility into assets helps identify and mitigate risks, ensuring awareness of potential threats and operational disruptions.
Varied logging strategies and tools used across entities may mean an acquired company’s pre-existing logging capabilities don’t match up to new standards. This can result in little to no telemetry for newly acquired assets, creating critical blind spots. Without proper logging and visibility, incidents like unauthorized access, code injection, or data breaches may go undetected.
In August 2024, a health care customer experienced an incident involving critical gaps in logging and visibility. Unauthorized access and data exfiltration occurred from a server unknown to the client. The malicious activity initially went unnoticed due to the server’s lack of logging capabilities. This server—originating from a recently acquired company and missing standard SentinelOne agents—was compromised, allowing attackers to execute remote commands without detection. We recommended a full domain reset to mitigate further risks, including resetting critical accounts. We also advised the customer to reset accounts and deploy SentinelOne agents across all endpoints to enhance monitoring and ensure comprehensive, real-time detection.
This case highlights the crucial role of robust logging and visibility across all network assets in detecting and mitigating threats. Without proper logging, attackers can swiftly progress through their attack stages unnoticed. In this instance, the attacker moved from initial access to copying an important data file within just 50 minutes, demonstrating the potential for severe consequences.
Recommendations
- Integrate key log sources like identity and access management systems, operating systems, and network devices, ensuring logs are correctly parsed to enhance detection fidelity and reduce alert fatigue. ReliaQuest’s GreyMatter platform seamlessly integrates and optimizes diverse log sources, strengthening detection and response capabilities.
- Adopt a defense-in-depth strategy by deploying detection rules across multiple log sources to further enhance visibility. ReliaQuest’s extensive content library, mapped to the cyber kill chain, empowers security teams to respond swiftly to threats.
- Establish a unified logging framework across both entities to ensure consistency and improve visibility once logging capacity is established on all devices. This standardization streamlines incident detection and response, enhancing overall security posture during M&A transitions.
Unifying Operational Tools Post-M&A
Different companies choose different tools for the same tasks: Some opt for Microsoft Teams for communication, while others prefer Slack. During M&A, integrating disparate software ecosystems means settling on a single tool for each function. But, as we discussed earlier, old habits die hard—employees may continue to use, or even attempt to re-download, alternative software for the same tasks.
Unusual software installation patterns, even of legitimate software, can signal threat actor activity. Remote monitoring and management (RMM) tools like TeamViewer, while useful, are often abused by threat actors. If a user attempts to download such a tool, it’s impossible to distinguish their actions from those of a threat actor.
Like other IT policy violations, these activities can’t be ignored, particularly if they become widespread. Failing to baseline tools can lead to the growth of shadow IT, where users install software without the knowledge or control of their IT or security team. This non-standardization of tools makes it far harder to detect unusual behavior that might indicate malicious activity, as there is no established norm to measure against.
In June 2024, an alert highlighted an unusual process at a PSTS company on an endpoint obtained through a recent acquisition. The incident involved a non-standard process, where uninstaller.exe launched “explorer.exe” in an unconventional manner. This raised concerns about tampering, but our investigation revealed it was linked to data recovery software—a program likely used as standard at the acquired company but not in the acquiring company’s environment. We recommended asking the user of the host if the activity was part of an authorized IT process. If not, the host should be isolated and the account disabled. In response, the customer uninstalled the program from the machine.
This situation illustrates the challenge of standardizing internal tools during M&A processes. Security teams are distracted by alerts that, although non-malicious, appear threatening and demand attention. Simultaneously, employees from the acquired company face disruptions when their familiar software is restricted, underscoring the need for training in standard tools. Establishing standardized tools and training as early as possible in the M&A process can alleviate these challenges.
Recommendations
- To manage tool integration during M&A, assess the acquired company’s tools and needs and align them with the acquiring company’s approved tools. ReliaQuest can help fine-tune detections to safely manage the temporary use of old tools if necessary. However, this isn’t a long-term fix, as it risks undetected threats. The more sustainable and robust solution is to establish a new tool baseline and communicate it clearly to all employees.
- For high-risk tools like RMM software, the following ReliaQuest detection rules identify and monitor downloads to proactively prevent misuse:
- Remote Access Software Service Installed
- Remote Access Software Service Installed – Critical Host
- ReliaQuest Hunt packages monitor these high-risk tools and prevent misuse. The Remote Monitoring & Management (RMM) Software package examines process events to uncover any malicious activities, like using RMM tools for unauthorized access or data theft.
Don’t Let M&A Integration Slow Your Threat Response
In the complex M&A process, integrating newly acquired entities creates major incident response challenges. Security teams and the acquired company’s tools and practices must be aligned with the standards and protocols of the acquiring organization. Integration-induced delays accounted for 17% of M&A-related incidents in our dataset.
Investigating a security incident during the M&A process can be extremely tedious. Unclear communication channels between existing and new team members hinder the exchange of critical information, while unfamiliarity with the acquired company’s environment and tools slow the process further. And inadequate logging in the new systems can lead to severe visibility gaps.
Investigating and resolving incidents becomes protracted and frustrating, as straightforward queries transform into complex puzzles. For example, determining which device is associated with a specific user can become convoluted if the acquired company’s naming conventions and databases aren’t easily accessible or compatible with those of the acquiring entity. This prolongs investigations, allowing threat actors to stay hidden in the network for longer and giving them more opportunities to carry out malicious activities like accessing and exfiltrating sensitive data.
In November 2024, we investigated an incident involving suspicious activities on a user account at a PSTS company that was undergoing M&A. We explored potential signs of compromise on the user account from the newly acquired entity but encountered several complications because of the M&A process. There was initial confusion over whether the user possessed a device from the acquiring or the acquired company. After confirming the device belonged to the acquired company, the acquiring company couldn’t verify which device was associated with the user’s account. There were differing naming conventions for users and assets between the merging entities, which slowed the search for relevant account activities. Tool integration issues also emerged, as each company employed distinct security tools. However, our expertise with various security technologies facilitated a thorough threat hunt that determined no signs of compromise on the user’s accounts or host. As a precaution, we recommended a credential reset, revoking active sessions, and blocking two suspicious IP addresses across the network.
This incident shows how important it is to understand the environment being acquired and maintain clear lines of communication. Despite robust alerting and security tools, the investigation revealed systemic issues that can hinder quick resolution. Establishing a comprehensive understanding of acquired systems and fostering open communication channels is crucial in mitigating such challenges during M&A processes. This proactive approach could mean the difference between a close call and a full-blown attack.
Recommendations
- During M&A processes, integrating two separate entities can naturally create uncertainty, making clear communication essential. Prioritize establishing incident response strategies, even if temporary, so everyone knows the right points of contact and speed up responses.
- Consider forming a dedicated team to handle security challenges unique to the M&A process. This specialized task force can ensure prompt attention and resolution, providing a focused approach to clear communication and integrated response strategies.
- GreyMatter’s technology-agnostic design means it excels at managing and integrating diverse endpoint detection and response (EDR) tools during M&A. This means security teams from each entity don’t need to be familiar with all tools, boosting incident response effectiveness.
Conclusion
M&A deals come with complex cybersecurity challenges that demand strategic foresight and hardened defenses. Acquiring companies must handle unknown issues with inherited assets, disparate tool use, and potential lapses in policy compliance. Existing difficulties are compounded by the ever-evolving threat landscape, in which technological advancements and political changes will present new problems.
Regulatory Relaxation and Increased Complexity: With Donald Trump re-elected as US president, it’s anticipated that cybersecurity regulations may be relaxed, prompting many organizations to downscale their security measures to cut costs. Acquiring companies will likely need more comprehensive cyber audits to make up for potential decreases in legally agreed standards during M&A due diligence. Lax regulations may elevate the risk of inadequate logging, while softened incident reporting rules could obscure the security history of acquired companies. This reinforces the need for thorough audits to identify potential security vulnerabilities in newly integrated assets. It’s realistically possible that this added complexity may burden CISOs and their teams, making breaches during transitions more likely.
Evolving Ransomware Tactics: The dismantling of prominent ransomware groups like “LockBit” and “ALPHV” has given rise to smaller, less sophisticated ransomware operations that use leaked builds from larger groups. These builds are generally less effective due to limited customizability and developer resources. As a result, attackers are adopting more creative targeting strategies, with companies recently involved in M&A likely becoming prominent targets. Seen as temporarily vulnerable, these entities will likely face opportunistic phishing attacks for initial access, followed by ransomware deployment. AI-generated spearphishing emails are particularly effective, so even if ransomware programs become less sophisticated, the threat to M&A-weakened security programs remains significant.
Cloud Adoption and M&A Vulnerabilities: Global spending on public cloud services is projected to reach $805 billion in 2024 and is expected to double by 2028. This rapid cloud adoption complicates M&A transitions, as migrating between service providers requires significant time and resources, often exceeding cost expectations and leaving merging organizations vulnerable. Meanwhile, cloud-based threats are on the rise, with threat actors targeting cloud APIs and unsecured Secure Shell (SSH) keys. Companies in the middle of M&A are particularly exposed, facing a combination of viable cloud attack vectors and cloud migrations that can take months or even years.
Organizations must adopt strategies to boost visibility, streamline communication, and strengthen defenses for seamless M&A integration. ReliaQuest’s GreyMatter supports managing diverse security tools, optimizing detection, and bridging gaps in tool familiarity. This approach not only mitigates risks but also transforms the M&A process into an opportunity for strengthening security posture.