Last updated on November 3, 2019
By: Shandra Gemmiti, Product Marketing Lead at Synopsys Software Integrity Group
Technical due diligence is a given in almost every acquisition or investment involving technology companies. The diligence checklist can be daunting for acquirers and targets alike, but as a new study published by (ISC)2 confirms, auditing for cybersecurity is and should be at the top of the checklist. In fact, the (ISC)2 survey of 250 U.S.-based M&A professionals showed that 100% of the executives and M&A advisors surveyed agreed that cybersecurity audits have become standard practice.
Why companies conduct cybersecurity audits
To understand why companies are auditing for cybersecurity, we must first understand the risk. In the same study, (ISC)2 found that security breaches that come to light during the due diligence process can derail a transaction; almost half (49%) of participants said they had seen it happen. Further, 52% of respondents viewed an audit revealing weak security practices as a liability. The same number said a post-acquisition security breach in an acquired company has affected the share value of publicly traded organisations.
It’s clear a cybersecurity breach can significantly affect shareholder value. During integration, it’s critical to expose, and plan to deal with, any potential weakness at a target company.
Urgent need for open source audits in M&A
There are many angles to consider when auditing for cybersecurity in an M&A transaction. For example, consider the high-profile Equifax breach.
The breach occurred when an unpatched open source vulnerability compromised the personal data of millions of people. Equifax paid the price in both brand damage and shareholder value. But as we’ve learned in the aftermath, not everyone learns from the mistakes of others.
In the year following the Equifax breach, Fortune published a piece under the headline “Thousands of Companies Are Still Downloading the Vulnerability That Wrecked Equifax.”
Synopsys’ annual Open Source Security and Risk Analysis report is based on the anonymised data from thousands of open source audits we perform for M&A due diligence. The 2019 report found that 60% of the codebases we audited during 2018 contained at least one open-source vulnerability. Further, 43% of the codebases contained vulnerabilities over 10 years old.
As we learned from Equifax, unpatched software vulnerabilities are one of the biggest cyber threats organisations face, and unpatched open source components in software add to security risk. Certain characteristics of open-source make vulnerabilities in popular components attractive to attackers.
One reason is that open source, unlike commercial software, has a pull support model. Commercial software publishers can automatically push fixes, patches, and updates to users. But open-source software puts the responsibility for monitoring in the hands of the company consuming the open-source. Because open source is so pervasive, this is no easy task.
Other types of cybersecurity audits
Open source audits are one type of audit that companies are performing in M&A due diligence, but it’s not the only one. We typically see acquirers asking questions about many aspects of the security risk of the software they’re acquiring:
- What open source is in the application, and is the target aware of the open-source license obligations that accompany it?
- Are there any security weaknesses in the proprietary code?
- Is the architecture sound?
- Do the target’s software development processes take security into account?
- Does the application call any external APIs that expose it to further risk?
At the end of the day, the goal of due diligence is to eliminate surprises after the deal closes. According to the (ISC)2 report, 57% of respondents had been surprised by an unreported data breach during the audit process.
In M&A, uncovering these issues before the deal closes helps the acquirer not only put the proper deal terms in place but also plan for integration costs, priorities, and timelines post-deal.
Synopsys has an entire business with decades of experience handling security audits in high-stakes, fast-moving, and high-value M&A scenarios.