6 Steps to SAP Cybersecurity Due Diligence for Mergers and Acquisitions

Jul 19, '18 by Joerg Schneider-Simon

Whether a company is looking at customers, suppliers, production, or finances, it’s looking at data. And SAP is one of the most widely used platforms for companies to manage their data and perform the multiple tasks that keep a business running.

So, when companies engage in merger and acquisition transactions, one would think the security of SAP data and systems would be a major target of scrutiny by all parties.

Unfortunately, that isn’t always the case.

Cybersecurity incidents in the news have made it clear that cyberattacks can (and do) happen to any organization. With that in mind, companies need to understand that lax SAP cybersecurity practices can affect M&A transactions — and what questions they should ask not only the target company, but themselves.

How Cybersecurity Vulnerabilities Threaten Mergers

Anybody with a nodding acquaintance of the real estate market knows that if an inspector finds termites, the sale will likely fall through.

Cyberattacks are the termites of the data world: often undetected, but wreaking havoc behind the scenes.

And much like a savvy homebuyer, any acquiring company is going to want to know what’s behind the walls before they sign on the dotted line.

NYSE Governance Services and Veracode partnered up to survey 276 public company directors and officers to get their thoughts on cybersecurity due diligence when it comes to M&A transactions. The results were eye-opening:

  • More than half (52 percent) of the respondents said if a target company had recently suffered from a high-profile data breach, they would only acquire it at a much lower value. Almost a quarter (22 percent) said the deal would be off.
  • Only 2 percent said that major security vulnerabilities would be “very unlikely” to affect a merger or acquisition. An overwhelming number (85 percent) said it would be “somewhat likely” or “very likely”.
  • A full 71 percent said that the quality and extent of the target’s intellectual property and technology is “very important” in their due-diligence process.

What does this all mean? It means that companies whose cybersecurity practices are not up to snuff are running a very real risk of sinking any deals that come their way.

Here is an example: In 2014, Yahoo! learned that their computer network had been breached. They did not publicly disclose this, even to their board. In 2016, Yahoo! and Verizon Communications entered into negotiations. Shortly thereafter, it came to light that Yahoo! had been the victim of not one, but two massive security incidents involving approximately 1.5 billion accounts.

The result? The purchase price was knocked down by $350 million and Verizon made sure to include a condition that Yahoo! would be responsible for all liabilities resulting from shareholder lawsuits and SEC investigations related to the cyberattacks.

SAP: Special Considerations

So far, all of this can be generally applied to any data system that a company might use. However, with SAP, there is an even greater risk of vulnerabilities and past attacks going undetected.

That’s because SAP data is typically held separately from regular disk volumes, in its own proprietary storage. And regular anti-virus programs can’t access those files. They can’t even connect to SAP’s virus scan interface.

As a result, data-stealing malware could be stored in a company’s SAP system, going completely undetected by their anti-virus screening. From there, the malware can easily be distributed by that “safe” source to both internal and external systems. And neither the company nor their M&A transaction partner are any the wiser … until a hacker announces that they have the companies’ data.

How to Perform Due Diligence

A responsible company makes certain its finances and procedures are in order at all times, especially when talk of a merger or acquisition arises. This same due diligence must be applied to its cybersecurity, particularly its SAP cybersecurity. Here are the questions your company’s CIO needs to think about during the due diligence process:

1. What data are we collecting on customers or suppliers?

Your company should know exactly what information it has on its customers and suppliers, where that information is stored, what permissions are in place, and what is done with the data of customers or suppliers who no longer do business with you.

2. What about our third parties?

SAP systems make it easy for suppliers to share data and documents with your company. But, what is their risk exposure? What are their cybersecurity protocols? Do you have legal agreements in place that require third parties to adhere to certain cybersecurity procedures and security measures?

3. How often do we test?

Putting cybersecurity measures in place are fine, but do you know if they’ll stand up? Regularly scheduled penetration testing should be a documented process, making it easy to verify the frequency and results. Do we have a crisis management/cybersecurity breach plan in place, and how often is it reviewed/updated?

4. What is our expertise?

Does your information security team consist of generalists, or do you have experts in SAP cybersecurity who know how to manage its unique needs? What is the team’s chain of command? Are duties clearly delineated so that nothing falls through the cracks?

5. What are our best practices?

Do we provide cybersecurity best practice training to all end-user staff? If any of our staff use handheld devices to access systems (such as with SAP Fiori, for example), have they signed off on clear and comprehensive cybersecurity protocols? What are our processes for when employees leave the company?

Want to know more? Visit our Guide to SAP Fiori Cybersecurity

6. What protections do we have in place?

What is our intrusion detection system? How often do we download and install SAP security patches or other system patches? Do we rely solely on an OS-level antivirus or do we have anti-malware technology in place specifically for SAP?

When it comes to cybersecurity due diligence, a great rule of thumb is to always operate as though you’re entering into an M&A transaction. Think about what the other company would want to know to feel secure about your cybersecurity practices. Make sure you always have updated information at your fingertips. And be certain to keep your procedures and operating instructions updated and clearly communicated across your organization.

By staying on top of your SAP cybersecurity, and your cybersecurity in general, your company will be prepared for any M&A transactions, as well as anything else that comes your way.


Can SAP E-Recruiting Expose Your Company to Risk?