Caliber Security Partners

We value each and every one of our customers and cannot express our gratitude enough for allowing us to support your business each day. From the entire team at Caliber Security Partners, we wish you a wonderful Christmas and prosperous New Year for 2022.

At Caliber Security, we’re thankful for the opportunity to serve our clients, as they are all at the top of our list, not just on Thanksgiving but every day! We appreciate you and thank you for your patronage. Happy Thanksgiving to All!

Security for Enterprise Transitions
Mergers, acquisitions, material incidents, and exits
Jon Espenschied, CISO
July 2021

After going through several corporate mergers as a passenger or minor contributor, it was a privilege to be “on the inside of the room” for the first time, managing the process. Being one of the directors of a merger or acquisition can be like snow control at a ski resort; once started the process can go in unpredictable directions without continuous monitoring, and the consequences can be orders of magnitude larger or smaller than initially anticipated. Still, a little bit of prior diligence can give a large amount of control, or at least perspective and transparency to show what’s coming.

The life cycle leading to mergers and acquisitions is fairly predictable and well understood. Many companies are formed with the idea of going big or becoming part of something bigger either by acquiring competitors and partners or by being acquired itself. For any organization with this vision there is a well-worn path from startup to full operations, from operations to maturity, and from a mature value to some kind of exit either by merger or acquisition.

At its core, any kind of merger or acquisition is simple: each party should understand what they are selling or buying, and there should be a diligence process by which they assess the other’s assertions. Financial diligence in a sale is obvious, but the process doesn’t stop there. Assessments to support the deal should provide a functional review for any kind of service rendered, an infrastructure assessment for assets and technology, and an appropriate assessment of security and privacy for information assets and processes.

“Due diligence” prior to an acquisition is the ideal, meaning that the thoroughness (“diligence”) of the review is appropriate (“due”) in line with value and risks. However, reality often differs; direct experience with a recent tech company acquisition revealed that only 45 days had elapsed between two CEOs meeting on a plane to the close of the deal. The acquiring company had a process for evaluating and understanding what kind of risks and exposure they were buying, but accelerating the whole vetting process meant some issues -- such as not understanding what it meant to buy a FedRAMP-certified service, and not having full controls in place to handle HIPAA requirements -- were residual risks left to be handled later.

Still, these are better situations than discovery and risk management after the close of an acquisition. Years ago, several of our staff experienced an acquisition where the acquiring company thought they were buying a consultancy with one software product when in fact there were two major product lines. Only after the acquisition did the parent company fully understand they now owned a well-known password cracking tool they perceived to be a liability nightmare. The ensuing legal firestorm within the company was not pleasant to say the least, and could have been avoided by a reasonable assessment of infrastructure and security.

A rushed situation can occur even without people being sloppy in their business. A struggling organization might not have planned for acquisition, but find an offer as its last viable resort. Or one might find a competitor has quietly folded its operations, and have only days or a weekend for an opportunity to acquire its people and infrastructure before liquidation processes would take over. Continuity takes precedence, and a thorough vetting gets postponed until later if the executive team judges that the risk is worthwhile. In this case, consultants might be called in for a quick sanity check over the course of a few days, with a fuller assessment on the books post-close.

Other conditions arise, to be sure. In a large mutual merger, cross-organization assessment may be an involved process. In some cases, a well-planned long and slow merger may mean years of interim operations, for which an independent set of rules, policies, staff, and even leadership may be instituted. These are often given the mission of continuity over the transition, handling incidents that might not fit either organization’s capabilities, and dealing with unforeseen conditions and events.

In each of these cases, a structured assessment is key to due diligence, and should answer relevant questions:

- Beyond the finances and function of the business, do their processes and technology reflect their information security policy directives?
- If they have certifications such as SOC-2 or FedRAMP, do they do what they say?
- Is there personal data from individuals in jurisdictions evoking GDPR and CCPA?
- Is there an actual person assigned to direct an ISMS based on ISO27000 standards, or to assume the role of DPO to meet privacy regulations?

Knowing enough to close the deal is critical, even if knowing every detail would be out-of-scope. Often it is enough to review standing certifications and validate the top-line portions of a program, or perform a baseline assessment drawn from a neutral recognized security standard. Other situations may call for in-depth risk review and thorough technical testing. Most are somewhere between. Large or small, quick or thorough, an experienced consultancy can help choose the appropriate standards and metrics, and gather the information to make that call.

CCPA - California Consumer Privacy Act
DPO - Data Privacy Officer (GDPR)
FedRAMP - Federal Risk & Authorization Mgmt. Program (US)
GDPR - General Data Protection Regulation (EU) HIPAA - Health Insurance Portability & Accountability Act
ISMS - Information security management system (ISO)
ISO 27000 - ISO/IEC standards for information security
SOC-2 - System and Organization Controls 2 (AICPA)

“June 2021 - Colorado Protects Consumer Privacy Data”
Is your Data Architecture and Network Secure?

The State of Colorado has placed their community of citizens and consumers first, as a core priority, as they have listened to their concerns and fears regarding their data privacy and took action, legally.

According to newly approved state bill SB21-190, Colorado consumers received the privilege to opt-out of data collection by companies and websites. The Colorado top 3 state bill inclusions address which data is collected, what purpose will the data be used for and the timeline for which the data is held. Many industries such as healthcare and technology firms are included, however exceptions to regulation may differ for financial institutions, dependent upon the size of the company.

Other states who have been trailblazers in legally supporting their citizens data privacy is Virginia and California. All state compliance laws differ for example, Virginia (VCDPA) applies to any business that handles records of at least 100,000 Virginia consumers.

Now that the bill has passed, the question is, will consumers have to hunt to find the “opt out” online link? Or contact the company directly to “opt-out”? The cost to maintain and provide these measures could be absorbed by the company or passed on to consumers.

It is likely, that the data protection, compliance pattern will continue and your state may very well be next in line toward legal compliance to advance your data network privacy to the next level.

As well as, additional layers of privacy security controls and levels of mapping due to future legal protection amendments.
Colorado advocates argue that this new state bill doesn’t extend far enough to thoroughly protect the data privacy demands.
Your state may be next! Oklahoma and Minnesota appear to be in pre-planning stages.

For additional information regarding the newly approved, “Colorado Privacy Protection” state bill, access this link https://leg.colorado.gov/bills/sb21-190