Cybercrime and GDPR within the M&A market

Share:

“FW: John, is it OK to disclose this Excel file to bidder A?”

Image
Jeroen Kruithof

In March 2018, Jeroen Kruithof, CEO Virtual Vaults (pictured above) brought ACG Holland members and guests up to speed with the steps you need to take to prepare for the new GDPR legislation and how to make yourself less vulnerable for cybercrime. A summary of the presentation is below.

Cybercrime is a rapidly growing threat, that is impacting more and more companies. It is generally known that cybercrime could cause reputational damage, due to the loss of intellectual property. On the other hand, cybercrime could cause personal data breaches, which could result in serious fines for the company.
Cybercriminals can attack a variety of vulnerabilities of a company. The most vulnerable department to cybercrime is the support desk, who need to know exactly which information they may and may not tell their customers. Companies that operate with a support desk have a high need of being compliant in order to protect data. Strict policies and processes need to be written and implemented, for this company specifically, by a Data Protection Officer, to make sure the company will be and stay compliant.

M&A: an attractive target for cybercriminals

Companies that are operating in the M&A market are a highly interesting target for cybercriminals, since this market contains a lot of valuable data. Since 2013 FireEye, a cybersecurity company, has been tracking a group of hackers that are targeting the email accounts of a large number of individuals. The hackers are able to get access to confidential information of more than 100 companies, including publicly traded companies or advisory firms that provide M&A services. They are focussed on compromising the accounts of individuals who possess non-public information of M&A deals, mostly in the healthcare and pharmaceutical industries. Those industries were targeted, because the stocks of these industries can move dramatically due to new clinical trial results, regulatory decisions, or safety and legal issues.

They mainly target top executives, legal counsel, investment bankers and corporate finance advisors. They got access to insider information and this information enabled them to make or break stock prices of public companies and they made use of trading advantages.
These hackers are of a different kind. They are native English speakers with knowledge of the investment world and the inner workings of public companies. This made their spearphishing emails seem convincing and legitimate.

Scarily convincing

They also operate in an unusual way. They are solely focussed on capturing usernames and passwords, which allow them to view private email correspondence. Sometimes they view email correspondences for a couple of weeks before they attack. With the knowledge they have gathered, they send out convincing emails to other advisors. The emails are highly tailored that usually play on the recipient’s knowledge or interest in a pending deal and often contain information that is not yet made public. The email could contain something like: “John, is it okay to disclose this Excel file to our buyer?” Such an email seems legit to the recipient, since it is from a colleague who is involved in the same deal. In this case, John receives an Excel file, attached to the email he received from his colleague. When opening the attachment, the recipient’s login details are asked. If these details are entered, the hackers are able to enter the new victim’s account and the same story will repeat for this new victim.

The hackers operated in a smart way. Most of the documents they send to new victims, appeared to be stolen from actual deal discussions. Most of them were still in the early due diligence phases. In some cases, more organizations involved in a specific transaction were hacked. It even happened that more than 5 organizations, including all their advisors, were involved. In this specific transaction 20 organizations in total were hacked, including all the legal, tax and corporate finance parties. This, of course, led to major advantages for the hackers, since they could view the correspondence between the different parties, view non-public documents and act upon this information.

The hackers invented ways to evade detection. They created a script that automatically deletes emails that contain words such as “virus”, “hacked”, “phish”, “malware”, etc. So, even when a targeted company is aware of the hack and tries to warn other parties, the emails will never arrive.

Are you ready for GDPR?
This year on the 25th of May, the GDPR (General Data Protection Regulation) will come into force. The GDPR will be the new data protection landscape of the EU. It will replace the current directive and will be directly applicable in all member states of the EU, without the need for implementing national legislation.

The GDPR will influence one’s daily work information. First of all, there will need to be stricter control on where personal data is stored and who has got access to it. Secondly, there will need to be better data governance tools for auditing and reporting on who has access to this kind of information. Thirdly, improved data policies will be needed, in order to provide control.
Many companies do not yet know that these steps need to be taken. Gartner predicted that by the end of 2018 50% of all the companies will not be compliant. A research by PwC shows that 32% of US companies want to reduce their presence in the EU and 26% even responded that they will exit the EU.

In order to defend your data and to reduce the risk of being hacked, these steps could be taken:

  • 2FA (two factor authentication): 2FA is the use of an extra device, like a mobile phone, in order to login to one’s account
  • Data encryption: data at rest and moving both could be encrypted
  • Smart identity monitoring: actively monitor login behaviour and act when necessary

An important step that would need to be taken in order to become compliant and reduce hacking risks is getting certified according to international security standards, like the ISO:27001 and the SOC 2. Certifications are important in order to make sure processes and policies are up to date. A more drastic way of checking whether data is stored safely, is hiring a hacker who will look into your company’s weak spots.

When those steps will be taken, your company will be closer to being 100% compliant to the new GDPR rules and regulations and your company will be less vulnerable to cybercrime!

Be safe.

More information:  Jeroen Kruithof, CEO - j.kruithof@virtualvaults.com

Source: FireEye