CyCognito, the leader in external attack surface management and attack surface protection, today announced the results from a new study that found most enterprises are overconfident and lack the proper visibility to manage subsidiary risk. The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with more than $1 billion in annual revenue and an average of more than 19 subsidiaries.
M&A has become a standard path to rapid growth for many organizations. The global law firm White & Case reported that US M&A deal value reached a record high of US$1.27 trillion in the first half of 2021, a 324 percent increase vs. H1 2020. “Parent companies acquiring subsidiaries through M&A activity not only onboard employees, technology and revenue, but also absorb the existing security posture of that subsidiary. This dramatically impacts the overall security of the larger organization and increases the attack surface,” said Michael Sampson, Senior Analyst at Osterman Research.
Closely related to the M&A process, divestitures present similar risks for organizations. When corporations divest their subsidiaries - selling them to other organizations, or to operate independently -- they also need to separate themselves from the IT responsibilities and cyber risks of the divested entities. Finding and assessing subsidiary risk, and understanding how assets connect to the parent, is fundamental to successfully managing divestiture cyber risk.
Ironically the majority of organizations reported they perceived they were doing a good job managing subsidiary risk, yet 67 percent of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out that possibility. Even more telling, nearly 50 percent of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.
Priority of Assessing Cybersecurity Risk of Subsidiaries (Percentage of respondents)
“The findings from this study underscore just how serious subsidiary risk can be to larger organizations, including those in the automotive, manufacturing, retail, finance, government and healthcare sectors,” said Rob Gurzeev, CEO and founder of CyCognito. “As an extension of the parent organization, the subsidiaries’ security posture is not well evaluated as part of the overall attack surface, thereby creating an attractive target for attackers. As global organizations work to get a handle on risk, visibility into the security posture of their subsidiaries are paramount to stave off revenue and reputation crushing attacks.”
Other key findings include:
“Subsidiaries often become part of an organization’s attack surface via a merger or acquisition. With M&A, not only do you end up with a blend of employees, operations, revenue, etc., but you also blend your cyber security risk,” noted Gurzeev. “Those risks are opportunities for attackers looking for the path of least resistance to networks, applications and data they can breach -- whether the starting point is the parent company or one of its subsidiaries.”
CyCognito is an external exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats. For more information, visit https://www.cycognito.com
Switch PR
(415) 517-6708
[email protected]
The CyCognito platform preempts attacks and helps satisfy key elements of most common security frameworks and many regulatory compliance standards.
Learn more about the CyCognito and take the first step to Rule Your Risk.