New Report Reveals Subsidiaries are Global Enterprise Achilles Heel

By CyCognito Marketing Team | September 22, 2021

New CyCognito Report Reveals Subsidiaries are Global Enterprise Achilles Heel; Increasing Attack Surface and Exposure Drawing in Attackers

Cover-WP2109-osterman-research copy
67% of Parent Companies Experience a Cyberattack due to a Subsidiary.
Is M&A onboarding risk?
Palo Alto, Calif. — CyCognito, the leader in external attack surface management and attack surface protection, today announced the results from a new study that found most enterprises are overconfident and lack the proper visibility to manage subsidiary risk. The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with more than $1 billion in annual revenue and an average of more than 19 subsidiaries.

M&A has become a standard path to rapid growth for many organizations. The global law firm White & Case reported that US M&A deal value reached a record high of US$1.27 trillion in the first half of 2021, a 324 percent increase vs. H1 2020. “Parent companies acquiring subsidiaries through M&A activity not only onboard employees, technology and revenue, but also absorb the existing security posture of that subsidiary. This dramatically impacts the overall security of the larger organization and increases the attack surface,” said Michael Sampson, Senior Analyst at Osterman Research.

Closely related to the M&A process, divestitures present similar risks for organizations. When corporations divest their subsidiaries - selling them to other organizations, or to operate independently -- they also need to separate themselves from the IT responsibilities and cyber risks of the divested entities. Finding and assessing subsidiary risk, and understanding how assets connect to the parent, is fundamental to successfully managing divestiture cyber risk. 

Ironically the majority of organizations reported they perceived they were doing a good job managing subsidiary risk, yet 67 percent of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out that possibility. Even more telling, nearly 50 percent of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.


Osterman_CyCognito Final - Figure 2
Priority of Assessing Cybersecurity Risk of Subsidiaries
Percentage of respondents


“The findings from this study underscore just how serious subsidiary risk can be to larger organizations, including those in the automotive, manufacturing, retail, finance, government and healthcare sectors,” said Rob Gurzeev, CEO and founder of CyCognito. “As an extension of the parent organization, the subsidiaries’ security posture is not well evaluated as part of the overall attack surface, thereby creating an attractive target for attackers. As global organizations work to get a handle on risk, visibility into the security posture of their subsidiaries are paramount to stave off revenue and reputation crushing attacks.”

Other Key findings include:

  • Assessing subsidiary risk is a high priority. 85 percent of respondents said assessing subsidiary risk is a top 10 priority relative to other security and risk initiatives. 47 percent regard subsidiary risk as a top 5 priority.
  • The three highest ranked concerns about existing subsidiary risk management practices: 1. they provide only a point-in-time snapshot, 2. the process takes too long, and 3. they offer only limited test coverage, leaving too many blind spots.
  • There is a huge variation between current and preferred remediation time. Two-thirds of respondents report that time to remediate a detected subsidiary risk was a week or longer on average, and sometimes up to three months. For 71 percent of respondents, the preference is a day or less. 
  • Risk and vulnerabilities increase with more subsidiaries. Enterprises with more subsidiaries are 50 percent more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries. 

“Subsidiaries often become part of an organization’s attack surface via a merger or acquisition.  With M&A, not only do you end up with a blend of employees, operations, revenue, etc., but you also blend your cyber security risk,” noted Gurzeev. “Those risks are opportunities for attackers looking for the path of least resistance to networks, applications and data they can breach -- whether the starting point is the parent company or one of its subsidiaries.”

To download the report, please visit:


About CyCognito

CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure. Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. The Palo Alto-based company is funded by leading Silicon Valley venture capitalists, and its mission is to help organizations protect themselves from even the most sophisticated attackers. It does this with a category-defining, transformative platform that automates offensive cybersecurity operations to provide reconnaissance capabilities superior to those of attackers.

About CyCognito Marketing Team

CyCognito Marketing Team: Raphael Reich, VP of Marketing, Christine Carrig, Head of Growth Marketing, Jim Wachhaus, Director of Technical Product Marketing, Lisa Bilawski, Director of Content Marketing, and Dixie Fisher, Senior Product Marketing Manager


Start Eliminating Your Shadow Risk

Demo Request