Fortian works with a diverse range of clients who require cybersecurity services, ranging from small to medium enterprises all the way to some of Australia’s largest brands.  

In the large enterprise sector, Fortian has provided cybersecurity support to corporate operations, including acquisitions (where one entity acquires another) and demergers (where a corporate group splits its operations into multiple entities or groups).

In the following blog post, Fortian security consultant Vince Hardy writes about demergers – their significance from a cybersecurity perspective and some of the cybersecurity considerations that should be considered during the demerger process.

Securing Divestitures: Cyber Security considerations during Demergers

In recent times, cyber security has become a hot topic for everyone from individuals to big organizations and even governments. The rise in cyber threats has made it crucial to amp up our cyber security measures. And when it comes to divestments and acquisitions, the need for cyber security is even more pressing.

Understanding Demergers

A divestiture, also known as a demerger, is a restructure in which a company separates some of its business units or divisions into separate entities. This process involves division of a single business entity into two or more distinct companies, each having its own separate legal and operational existence.

Cyber Security Implications

During a divestiture, sensitive data and intellectual property may be transferred to another company or entity, potentially increasing the risk of data breaches or cyber-attacks. The company conducting the divestment is often concerned about swiftly signing on the “dotted line” and very seldom about the flow and impact to security and privacy. However, overlooking the implications for business continuity amidst these transactions can lead to significant disruptions in operations. It's crucial for organizations to consider how the transfer of data and intellectual property may affect ongoing business processes and ensure that adequate measures are in place to maintain operational continuity throughout the transition.

Significance of Cyber Security during a demerger

Cyber Security is essential during a divestment for several reasons. During a divestment, businesses may be required to disclose sensitive information such as financial, operational, and strategic information with the buyer. This information may contain customer data, financial data, and proprietary data. Both companies (buyer and seller) should ensure that security gaps and controls are first identified to prevent data breaches. It’s important to note that data and infrastructure are not the only targets of transfer, humans are also part of the process.

This blog post will provide practical guidance and actionable insights in to navigate cyber security challenges effectively during corporate demergers.

1. Identify Assets

Identifying assets is a critical step in the security risk assessment process during a demerger. Assets, in the context of security, refers to any resource that requires protection. Assets can span multiple categories, namely the following:

Data Assets:

• Sensitive data: Identify and classify sensitive data such as customer information, intellectual property, financial records, trade secrets and proprietary business data. Simply identifying is not sufficient.
• Data repositories: Pinpoint locations and repositories where sensitive data is stored, whether it’s databases, file servers, cloud storage, or other data storage systems.  
  

Systems and applications:

• Critical systems: Identify any critical information system important to the operation of the organisation.
  
• Applications: Identify any critical applications that process sensitive data and assess whether modifications are required during the demerger. There may be various enhancements or modifications that may be required such as changes to access roles and permissions, presentation of data, or obfuscation of sensitive data.

Network Assets:

• Infrastructure: identify the network infrastructure such as routers, switches, firewalls, and other networking components. Assess network configurations that may need to be adjusted to accommodate changes resulting from the demerger.
  
• Interconnected systems: Identify whether the separated entity has systems that require integration with the origin company (the seller).

Physical Assets:

• Data Centers: Identify locations of physical servers, data centers, and other IT infrastructure. Assess the physical security measures in place and determine if any changes are necessary.
  
• End User Devices: Identify any end user devices such as laptops, mobile devices, and workstations. Consider the security impact to these devices during the demerger.

Personnel Assets:

• Human resources:  Identify personnel-related data, including employee records, roles, and access permissions.

Collaboration with information owners and data custodians is critical to understanding the various types of data that is within the scope of the transfer. Within this phase, the project team executing the demerger work with data custodians to create a data inventory, cataloguing the various types of data and their sources (applications or systems). The inventory serves as a foundation for the data classification process.

2. Conduct a Risk Assessment

Leveraging threat modelling frameworks like MITRE ATT&CK or STRIDE offers a systematic method for evaluating risks during a demerger. These frameworks outline the tactics used by cyber attackers, aiding in the identification of potential threats to assets. By pinpointing entry points to the data within these assets, organizations can identify vulnerabilities in their security infrastructure. Comparing existing security controls with those detailed in the frameworks reveals any gaps or weaknesses. Through simulating attack scenarios, organizations can gain valuable insights into the potential impacts of security breaches, enabling the development of targeted mitigation strategies for high-priority areas.

The leadership team must be briefed on the diverse risks that could affect the success of a demerger, including the security of sensitive data and the overall welfare of both entities involved. Here are some critical risks to consider during the security risk assessment:

Data Security and Privacy Risks:

• Unauthorized access or disclosure of sensitive information, posing a risk of data breaches.
  
• Potential data corruption or loss, compromising data integrity during the transition.

Operational Disruptions:

• Risk of critical business operations and services being disrupted during the demerger process.
  

Regulatory Compliance:

• Non-compliance with data protection, privacy, and other regulations.
  
• Legal implications stemming from failure to adhere to regulatory requirements, necessitating engagement with legal counsel and diligent documentation of compliance efforts.

Reputation Damage:

• Potential negative impacts on the reputation of both entities involved.
  

IT Access Control Risks:

• Risks associated with inadequate access control measures, leading to unauthorized access to systems and data.

Intellectual Property Risks:

• Risks associated with the protection and transfer of intellectual property during the demerger process.

3. Classify Data

Data classification is a critical process that involves categorizing and organising data based on its sensitivity, confidentiality, and importance to the business.

The objective is to ensure that the data is properly handled, protected, and transferred during the demerger process. The Information owner is the individual or entity responsible for the data and has the authority to determine the classification of data. Refer to the organisation’s data classification policies and guidelines that define the criteria for classifying data into categories. These policies establish the rules for determining the most appropriate classification level for different types of information.

4. Safeguarding Access and Data Integrity During Corporate Demergers

While revoking all access of employees from demerging entities may appear simple, it could disrupt business continuity. Organizations often require ongoing operational support throughout the demerger process. Therefore, a balanced approach is essential to mitigate the risk of users retaining access to sensitive network resources. Diligent measures should be implemented to restrict access strictly to authorized systems and applications.

• Define the parameters of security controls required to manage user access.
  
• Create an inventory of critical systems or applications that contain sensitive data that employees of demerged entity currently access. Careful consideration is required especially in cases where systems or applications utilize local authentication.
  
• System and application owners must establish clearly defined roles for employees from the demerged business unit. Roles should align with their job functions, responsibilities, and data sensitivity. Aim for least privilege.
  
• Conduct a point in time exercise of access reviews for existing permissions of users that are part of the demerged entity. This includes access to systems, applications, data repositories, and other critical resources. The business must clearly define the objectives of the access audit and collaborate closely with stakeholders to understand the business context, data sensitivity, and specific access requirements for each system/application.
  
• Oftentimes, businesses can find this exercise difficult due to the sheer number of employees from the demerged entity. As a result, access management tools must be capable of conducting automatic access reviews and audits to streamline the process and provide detailed reports on user permissions.
  
• Review user group memberships in Active Directory to ensure that users have the correct AD groups associated with their job function. Some organisations may not have the required resources to conduct this and as such leadership must be notified of the fact that this could be a best effort exercise. Note: some users may be owners rather than members of the groups.
  
• As part of the demerger process, organisations must anticipate the inclusion of new employees who might be transferred to the demerged entity. These new employees may be automatically added to Active Directory groups due to birth-right access, providing them potentially unauthorized access to critical resources. As a result, it’s a good idea to assess whether these employees need to be prevented from obtaining birth-right access to certain systems.

Conclusion

Understanding the significance of cyber security in demergers allows organizations to safeguard assets, protect data integrity, and mitigate risks such as data breaches, operational disruptions, and regulatory non-compliance. Collaboration with stakeholders, adherence to data classification policies, and diligent access controls are essential for success.

Navigating demergers and cyber security complexities requires vigilance, adaptability, and collaboration to ensure the security and integrity of operations. Stay tuned for a later instalment, where we'll explore strategies for data protection and regulatory compliance during corporate demergers.