Canadian Underwriter

How corporate mergers impact cyber risk

September 19, 2018   by Greg Meckbach

Print this page Share

Cyber risk goes up if a company goes through a merger or acquisition, an information security consultant suggests.

One way your client can reduce cyber risk is to know what hardware and software is on their computer network, Jeremy Hurst, Toronto-based senior manager for Accenture Security, said Monday in an interview.

A company that has not gone through a merger “should have a pretty good sense of what is on their [computer] network,” added Hurst. “Where you tend to run into bigger problems is organizations that maybe have not grown organically [but rather] through acquisition or integration with another company. They may have [incorrectly] assumed at the time that the inventory of assets they were getting from the other company is complete.”

Not knowing what information technology assets you have can cause security problems for several reasons. For one, risk managers need to know whether or not they have “mechanisms in place” to detect information security breaches, Hurst said.

Say for example a user installs software, but the information technology department does not know about it.

Cyber security requires – at a minimum – that users install the “patches,” which are software updates that vendors produce in order to fix bugs such as security holes.

“If you are not even aware that you have that software in your systems because you didn’t document it, then how would you know to patch it?”

Some organizations have what Hurst calls “shadow IT,” meaning computer hardware or software is being used without the knowledge of the person in charge of information technology.

Accenture released Monday its 2018 State of Cyber Resilience study, which is based on a global survey of 4,600 security professionals. Respondents included 150 Canadian executives.

Respondents were asked how long it takes them to detect a security breach.

Among respondents in the insurance sector, “nine per cent of companies detect a breach within one day,” an Accenture spokesperson said, while nearly half (48%) of companies discovered the breach within one to seven days.

More than a third (36%) of respondents said it took one to four weeks while and nine per cent said it took more than a month to discover a breach.

It is “critical” to discover breaches within a week in order to reduce the amount of harm that can be done, suggested Hurst.