Cyber due diligence typically looks at overall policies and broad risk rather than scouring networks from top to bottom, experts say.
After Yahoo announced its users had been the victims of one of the largest known security breaches of all time, Verizon suggested it would take at least a second look at its plans to acquire the company's core businesses.
After all, the breach, said to have compromised user login credentials and other information as early as 2014, affected at least 500 million users and has reportedly led some users to close their accounts altogether. But if the hack proves significant enough to scuttle the Verizon deal, or even to affect the ultimate sale price, that raises questions about why the security failure wasn't uncovered during Verizon's due diligence process prior to the deal's announcement.
"It's very surprising to me, because Verizon has an excellent incident response and data breach response [team]," says John Reed Stark, a security consultant and author of The Cybersecurity Due Diligence Handbook. "They have their own professional consulting arm that is extremely good at responding to data breaches."
Just as companies will hire accounting experts to pore over acquisition target financials to avoid uncovering any irregularities or surprises, they'll increasingly engage digital security experts to uncover any cyber risks that might lie hidden in a company's networks or security procedures.
"There are so many categories of information that are worth looking at," Stark says. "You're going to look at every single one of them to try to quantify the risk, and it's very important, because any sort of data breach, any sort of cyberattack, can really cripple a company."
That can include talking to current and former employees about security frameworks and any prior known incidents, reviewing penetration tests and outside audits, and investigating security's role in the company's culture—everything from who's ultimately in charge of digital security and where they sit in the corporate hierarchy to what procedures are in place when a digital alarm sounds in the middle of the night, Stark says.
"Like any sort of due diligence exercise, you're gonna dig down and get granular and look at the people who are really doing the work," Stark says.
But in practice, experts say, cybersecurity due diligence is often limited by time, budget, access, and even expertise, with security skills in severe shortage across digital industries.
"Some firms do it very, very well and some firms don't," Stark says. "Sometimes circumstances don't allow for it and it just means increased risk."
Even talented investigators may only be given a few days to figure out the security risks in sprawling sets of computer networks. They may also get only limited, if any, direct access to the systems involved, says Sean Curran, a director in the security and infrastructure practice at Chicago consulting firm West Monroe Partners.
To acquiring companies, cybersecurity is usually just one part of a larger due diligence process, and to companies being vetted for acquisition, it's a disruption they're looking to minimize. And with both sides often looking to move fast, especially when multiple bids are in play, that can mean only a few days' access to people, records, and computers and a focus on overall signs of risk rather than particular breaches and vulnerabilities, he says.
"The ability to identify an ongoing breach that's actually occurring at the time of the breach is nigh on impossible unless you're talking to someone who's aware of the fact," Curran says.
After all, he points out, Verizon's own annual industry-wide study of security breaches has found many take weeks or even months to discover, often only with the help of reports from outside sources like law enforcement.
Yahoo's breach, which is said to have been the work of state-sponsored attackers, apparently went unreported for several years, meaning detection in a short diligence process may have been difficult. Still, that may be of little comfort to shareholders in either company affected by the uncertainty after the breach announcement.
"It could have been beyond the scope, but I'm sure the investors are going to be asking if it was beyond the scope, then why was it," says Scott Shackelford, an associate professor of business law and ethics at Indiana University's Kelley School of Business who's written about cybersecurity due diligence.
Increasingly, companies are having to quickly decide which deals are too risky to do based on digital security risk, and the answers aren't always clear cut. A fast-moving internet startup might allow developers greater freedom to install software on their own machines than other companies, but take steps to ensure those machines can't compromise important data, Curran says.
"You've got to make a decision between the risk of this happening and the potential that you're going to miss out on this organization," Curran says. "In a competitive world, and a competitive landscape, that may be a very difficult position to be in."