OPINION: More than you bargained for: Corporate acquisitions carry a new cyber-threat

Telstra Corporation’s announcement this week that it had discovered a network breach at a company it acquired earlier this year has opened up huge questions for corporate Australia on issues of risk management and due diligence.

Telstra, which is the world’s 10th largest telecommunications company, completed its acquisition of Pacnet in April. While the network breach occurred before the acquisition, it had not been uncovered during Telstra’s due diligence process. 

The announcement was quickly picked up by the media and became one of the biggest news stories of the day. For any business interested in data security – and that should mean all businesses – this breach is illuminating for two starkly different reasons.

First, it provided a demonstration that Telstra does not just talk the talk. On security, it quite clearly walks the walk. The company recently outlined its cyber security strategy at its 2015 Investor Day.

With the Pacnet announcement, and Telstra’s actions following its discovery of a breach, it now looks as if Telstra has executed an information risk management strategy that could be industry world’s-best practice, including making sure investors fully understood the company was in a strong position to manage an incident.

Secondly, the Pacnet breach provides a demonstration of a new and frightening dimension that has now been added to corporate acquisition due diligence and the broader issue of risk. These are very real questions that boards of directors must understand.

It is perhaps not surprising that Telstra’s response to this breach has been so sure-footed. For those of us familiar with the accelerating global cybercrime problem, it is quite clear that the company’s chief information security officer, Mike Burgess, has done his homework. 

Telstra’s is a dynamic risk management model. Yes, it includes market-leading technologies that monitor threats and defend information assets but, more importantly, the company clearly views these threats as a business problem, not just an IT problem.

Telstra has been clear about its security strategy, and its future plans for protecting its operations and customers in what is a comprehensive and pragmatic plan to manage the risks associated with this “unsolvable problem” of cybercrime.

Based on yesterday’s incident response, Telstra’s board would be satisfied that it is on the right track.

As a broader management issue for corporate boards everywhere, however, yesterday’s event raises serious new issues for corporate acquisitions, and it's a case of buyer beware. 

Recent acquisitions like that of Autonomy by HP have made the press for all the wrong reasons, following critical questions about misrepresentation and problems with financial due diligence.

But now directors, management, investors and lawyers have another serious acquisition issue to deal with, that of information security due diligence. This problem has potentially very high consequences.

A typical due diligence checklist includes disclosures and reviews of financial information, products, customers, competition, distribution, management and personal, legal and related matters.

The new category of questions might be labelled "information security" but should probably be called “unknown unknowns.” The reality is that increasingly, today’s high-consequence cyber threats have never been seen before.

There is no historical reference point. If you are the divesting company that warrants what has been disclosed is complete and correct, you may have a problem signing off this latest due diligence category.

And if you are the acquirer relying on professional services firms to complete due diligence and a warranty period for 12 to 36 months to reduce your risk, you may want to think again before you hand over the cheque.

Advanced cyber threats can hide in companies’ networks for days, weeks, months and years. They are designed to be hard if not impossible to find. And this is certainly not a problem the professional services firms who typically perform due diligence have any experience in assessing.

Malware and Zero Day exploits – the nasty stuff – hide in data and time. These sophisticated lines of code can be hidden in massive volumes of data over long periods of time. They are designed by some of the finest technical minds on the planet, and can be remotely exercised by anyone from hacktivists with a political agenda, organised crime networks with a financial agenda or nation states with a global agenda.

So what happens if you acquire a company that has been a target of one of these threats, and are unwittingly hosting one of these exploits? The consequences could be catastrophic.

The intellectual property you acquired at a premium may already have been accessed, stolen and traded on the dark web. The trade secrets or competitive advantage you expected to gain may already be known and countered by your competitors. The operational synergies you expected to gain, including merging your back office and IT infrastructure, may turn out to be terminal for the merged entity.

Or, you might be lucky and when the exploit reveals itself, it may have a manageable financial, operational or reputation impact that doesn’t affect earnings, investor confidence, share price or credit rating. 

The reality is this new cyber threat is just another business risk. But the difference is this threat can happen at a pace, scale and reach that is unprecedented.

To its credit, Telstra appears to have demonstrated this week that new cyber threats can be managed if directors and executives understand the problem, the risks and have a dynamic risk management plan in place.

Cybercrime is an unsolvable problem – because there will always be criminals whether in the physical or online worlds – but it can be managed.

However, managing acquisition risk does require that directors extend their due diligence enquiry well beyond its traditional scope to include deep information security analytics and analysis. This will require a whole new set of specialist big data tools and data science capability to discover these threats.

This is not a skill or capability traditional information technology staff have. Managing divestment risk also places new responsibilities on boards who will need to conduct similar levels of enquiry before they sign-off on company disclosures. 

The Pacnet disclosure by Telstra demonstrates the cyber security risk can be managed. But it also puts corporate Australia on notice that all that glitters is not gold.

Make sure you do your homework.

Craig Richardson is the chief executive of the Wynyard Group