Assessing subsidiary risk a top priority for most enterprises, yet they still lack proper visibility

Most enterprises are overconfident and lack the proper visibility to manage subsidiary risk, according to an Osterman Research study.

The study surveyed enterprises with more than $1 billion in annual revenue and an average of more than 19 subsidiaries.

M&A has become a standard path to rapid growth for many organizations. The global law firm White & Case reported that US M&A deal value reached a record high of US$1.27 trillion in the first half of 2021, a 324 percent increase vs. H1 2020.

“Parent companies acquiring subsidiaries through M&A activity not only onboard employees, technology and revenue, but also absorb the existing security posture of that subsidiary. This dramatically impacts the overall security of the larger organization and increases the attack surface,” said Michael Sampson, Senior Analyst at Osterman Research.

Most organizations believe they’re doing a good job managing subsidiary risk

Ironically the majority of organizations reported they perceived they were doing a good job managing subsidiary risk, yet 67 percent of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary, or that they lacked the ability or information to rule out that possibility. Even more telling, nearly 50 percent of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.

“The findings from this study underscore just how serious subsidiary risk can be to larger organizations, including those in the automotive, manufacturing, retail, finance, government and healthcare sectors,” said Rob Gurzeev, CEO at CyCognito.

“As an extension of the parent organization, the subsidiaries’ security posture is not well evaluated as part of the overall attack surface, thereby creating an attractive target for attackers. As global organizations work to get a handle on risk, visibility into the security posture of their subsidiaries are paramount to stave off revenue and reputation crushing attacks.”

Other key findings

• Assessing subsidiary risk is a high priority. 85 percent of respondents said assessing subsidiary risk is a top 10 priority relative to other security and risk initiatives. 47 percent regard subsidiary risk as a top 5 priority.
• The three highest ranked concerns about existing subsidiary risk management practices: 1. they provide only a point-in-time snapshot, 2. the process takes too long, and 3. they offer only limited test coverage, leaving too many blind spots.
• There is a huge variation between current and preferred remediation time. Two-thirds of respondents report that time to remediate a detected subsidiary risk was a week or longer on average, and sometimes up to three months. For 71 percent of respondents, the preference is a day or less.
• Risk and vulnerabilities increase with more subsidiaries. Enterprises with more subsidiaries are 50 percent more likely to take longer than a month to remediate detected security gaps than those with fewer subsidiaries.

“Subsidiaries often become part of an organization’s attack surface via a merger or acquisition. With M&A, not only do you end up with a blend of employees, operations, revenue, etc., but you also blend your cybersecurity risk,” noted Gurzeev.

“Those risks are opportunities for attackers looking for the path of least resistance to networks, applications and data they can breach – whether the starting point is the parent company or one of its subsidiaries.”