New CyCognito Report Reveals Subsidiaries are Global Enterprise Achilles Heel; Increasing Attack Surface and Exposure Drawing in Attackers

67% of Parent Companies Experience a Cyberattack due to a Subsidiary. Is M&A onboarding risk?

Palo Alto, California – September 22, 2021

CyCognito, the leader in external attack surface management and attack surface protection, today announced the results from a new study that found most enterprises are overconfident and lack the proper visibility to manage subsidiary risk. The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with more than $1 billion in annual revenue and an average of more than 19 subsidiaries.

M&A has become a standard path to rapid growth for many organizations. The global law firm White & Case reported that US M&A deal value reached a record high of US$1.27 trillion in the first half of 2021, a 324 percent increase vs. H1 2020. “Parent companies acquiring subsidiaries through M&A activity not only onboard employees, technology and revenue, but also absorb the existing security posture of that subsidiary. This dramatically impacts the overall security of the larger organization and increases the attack surface,” said Michael Sampson, Senior Analyst at Osterman Research.

Closely related to the M&A process, divestitures present similar risks for organizations. When corporations divest their subsidiaries - selling them to other organizations, or to operate independently -- they also need to separate themselves from the IT responsibilities and cyber risks of the divested entities. Finding and assessing subsidiary risk, and understanding how assets connect to the parent, is fundamental to successfully managing divestiture cyber risk.

Ironically the majority of organizations reported they perceived they were doing a good job managing subsidiary risk, yet 67 percent of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out that possibility. Even more telling, nearly 50 percent of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.

Priority of Assessing Cybersecurity Risk of Subsidiaries (Percentage of respondents)

“The findings from this study underscore just how serious subsidiary risk can be to larger organizations, including those in the automotive, manufacturing, retail, finance, government and healthcare sectors,” said Rob Gurzeev, CEO and founder of CyCognito. “As an extension of the parent organization, the subsidiaries’ security posture is not well evaluated as part of the overall attack surface, thereby creating an attractive target for attackers. As global organizations work to get a handle on risk, visibility into the security posture of their subsidiaries are paramount to stave off revenue and reputation crushing attacks.”

Other key findings include:

• Assessing subsidiary risk is a high priority. 85 percent of respondents said assessing subsidiary risk is a top 10 priority relative to other security and risk initiatives. 47 percent regard subsidiary risk as a top 5 priority.
• The three highest ranked concerns about existing subsidiary risk management practices: 1. they provide only a point-in-time snapshot, 2. the process takes too long, and 3. they offer only limited test coverage, leaving too many blind spots.
• There is a huge variation between current and preferred remediation time. Two-thirds of respondents report that time to remediate a detected subsidiary risk was a week or longer on average, and sometimes up to three months. For 71 percent of respondents, the preference is a day or less.
• Risk and vulnerabilities increase with more subsidiaries. Enterprises with more subsidiaries are 50 percent more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries.

“Subsidiaries often become part of an organization’s attack surface via a merger or acquisition. With M&A, not only do you end up with a blend of employees, operations, revenue, etc., but you also blend your cyber security risk,” noted Gurzeev. “Those risks are opportunities for attackers looking for the path of least resistance to networks, applications and data they can breach -- whether the starting point is the parent company or one of its subsidiaries.”

Resources

• You Can’t Just Walk Away from Subsidiary IT Risk
• M&A Cyber Risk: The Inheritance Nobody Wants