Security Posture by Example

Scenario 19 - Mergers and Acquisitions Rainy Day

Due to the huge success in the previous scenario, Amalgamated Virtual Sports decides to acquire Beat the Spread, a sports betting company where punters bet on the spread on other sports betting sites.

As in the previous example, the AEC team requests cybersecurity information on Beat the Spread's products and suppliers.

Beat the Spread has not invested in cybersecurity and has neither a PACE system nor SBOMs for most of it's products. It does have one single-hop SBOM one developer made to learn about SBOMs. Unfortunately that developer parlayed his SBOM expertise into a better job at another company.

The Amalgamated Virtual Sports CISO team begins its due diligence by analyzing the one SBOM. Analysis of the one SBOM reveals both major licensing issues and many unpatched vulnerabilities, several of them severe. Another troubling point is that these vulnerabilities have had known fixes for many years. The team recognizes Beat the Spread is a higher value target to hackers because of the higher dollar value inherent with gambling money changing hands. The team performs a quantitative risk analysis concluding significant probability of material financial risk.

The CISO team informs the boards of both companies of their findings. The Amalgamated board stops the proposed acquisition based on these results. The Beat the Spread board ignores the recommendations and goes looking for another buyer.

One of Amalgamated's competitors, without preforming an equivalent due diligence, acquires Beat the Spread at what it considers bargain basement prices. Six months later, the competitor makes adverse headlines due to a major cyberattack leveraging Beat the Spread's unpatched vulnerabilities; and shortly thereafter declares bankruptcy. Many of their customers move to Amalgamated, resulting in even larger profits and bonuses.