How to secure mergers & acquisitions from software supply chain attacks

There are varying levels of cybersecurity vetting used during mergers and acquisitions (M&A). Traditionally, acquiring organizations rely on techniques such as third party questionnaires to understand the cybersecurity posture of the company they would like to purchase. But the majority of security measures leveraged during the M&A process fail to capture one of the fastest growing and highly consequential threats today: attacks on software supply chains and third party software providers.

Organizations considering a merger or acquisition need to properly understand the impact this emerging risk has on the cybersecurity posture of a target acquisition to avoid any unexpected discoveries after the ink on the deal has dried.

Here's a break-down of the increased cybersecurity exposure presented by M&A activity, the prolific threat of software supply chain attacks, and how to effectively evaluate software supply chain risk throughout the deal life cycle.

Get White Paper: Third-Party Software: Derisking Mergers & Acquisitions

Deal activity attracts malicious actors

When participating in M&A activity, organizations are at an elevated risk for supply chain attacks. This is because attackers target entities who are undergoing major events. These malicious actors recognize that the opportunity to slip through the cracks undetected is higher while redundant systems are running in parallel.This is because the division of responsibilities between multiple security teams is not clear, and confusion arises amidst competing information security policies.

According to research performed by a doctoral student at the University of Texas at Dallas, when analyzing the mergers of hospitals from 2010-2022, the probability of a data breach more than doubled during the periods before and after M&A events. The study suggests that a lack of security and harmonization between multiple vendor software products is a key contributing factor to the increase in data breaches post deal.

If a target organization is breached during this critical period of heightened risk, it can have a material impact on financial success, reducing deal price prior to agreement or having subsequent fines cutting into the forecasted return of a transaction.

For example, in 2017, Verizon reduced its purchase price of Yahoo by $350 million in the wake of two cyber attacks which occurred the year prior.

Additionally, in 2020, Marriott International was fined $23.98 million by the UK’s Information Commissioner's Office (ICO) for a breach on Starwood hotels reservation system, which similarly occurred a year prior to their merger.

A large, under-addressed attack surface

Any company that your organization would like to purchase likely runs on a number of third party developed software products, which can greatly widen the attack surface of your business. As attacks to software supply chains continue to increase in volume and complexity, it’s essential that organizations take steps to address this growing threat, with parties to a merger or acquisition being no exception.

One of the most common sources of this emerging attack vector is open-source software, which the Linux Foundation estimates to make up 70-90% of modern software packages. Malicious actors are now exploiting enterprise dependencies on the open-source ecosystem as an initial entry point into the software supply chain. According to ReversingLabs State of Software Supply Chain Security 2024 report, malicious threats on open source repositories such as PyPI, npm, and NuGet platforms skyrocketed by 1,300% between 2020 and 2023.

As these open-source components get packaged into commercial off-the-shelf (COTS) software products, organizations lose visibility into the components of software that often supports critical business processes. Without control over the software, acquiring organizations will struggle to manage the security risk that might be introduced through either inadvertent or malicious intent. Unfortunately, the staggering increase in software supply chain threats has not been matched by a proportional response by either software producers or their customers. The analyst firm Gartner® released their “Mitigate Enterprise Software Supply Chain Security Risks” report in late 2023. That report noted that, in the past few years, “software supply chain attacks have seen triple-digit increases, but few organizations have taken steps to evaluate the risks of these complex attacks.”

In addition to the number of threats on software supply chains increasing, data is now available concerning the damage these threats can cause for businesses. According to IBM’s “Cost of a Data Breach Report 2023,” the average cost of software supply chain compromise is $4.63M USD – a cost that acquiring companies in the M&A process are keen to avoid.

How to ensure due diligence that upholds supply chain security

To protect the value of an investment, organization’s must gain visibility into the security risk exposure presented by software assets included in the deal. Organizations can achieve this by incorporating the right software security assessments throughout the M&A process, including the pre-deal, post-deal, operational delivery, and ongoing value protection stages of a transaction.

However, these software security assessments will only reach their full benefit if acquiring organizations leverage the right software assessment methods. Most M&A processes today only use traditional cybersecurity measures like security ratings solutions, penetration testing, application sandboxes, and vulnerability scanning as part of their evaluation. However, these tools, collectively, have blind spots that prevent organizations from obtaining a comprehensive picture of software supply chain security. That makes acquiring companies susceptible to attacks on third party software products.

To gain visibility into the risk presented by third party software, organizations will need a modern solution that can go beyond spotting basic vulnerabilities in software, to detect more sophisticated attacks such malicious implants and tampered artifacts, using non-invasive testing approaches. This is where RL Spectra Assure, ReversingLabs’ premier software supply chain security platform, comes into play.

To learn how your company can avoid undue software supply chain risk during M&A activity, download our new whitepaper, Third-Party Software: The Undiscovered Threat Lurking in Mergers & Acquisitions. In it, you’ll learn what steps your organization should take throughout the M&A process to secure your software supply chains, in addition to how RL Spectra Assure can be your go-to tool for due diligence.