How AWS can help - AWS Prescriptive Guidance

How AWS can help

In May 2020, a leading financial services company in the US reached out to AWS Professional Services for help with a series of long-term acquisitions across the globe. They asked AWS to help assess the security posture of all its targeted acquisitions, develop a remediation plan for security leadership to discuss with the business to be acquired, and help with remediation activities of all findings that posed a risk to the merger. The customer wanted a long-term plan to support their multi-year M&A roadmap. The Chief Information Security Officer (CISO) was looking for specific remediation activities with costs and resource requirements spread across the timeline of the acquisition deal. These types of inquiries surfaced after courts ordered seller companies that were slow to disclose data breaches during 2013-2016 to pay hundreds of millions of dollars in settlement to victims, which resulted in reduced offers from buyer companies.

AWS has been successfully advising corporate directors in governing digital transformation and emerging technologies. The Marsh & McLennan practical guide prepared in January 2020 for the National Association of Corporate Directors (NACD) noted that Amazon has been recognized for meeting customers’ needs on business intelligence and technical capabilities. The guide recommends, "Boards should assess whether their enterprises are able to build these types of digital platforms, or if they are ready to become a lead contributor to the new business ecosystems that these digital platforms are creating.” AWS has expertise in empowering customers from various industries on digital platforms. AWS Professional Services can help customers strengthen their regulatory and risk posture operating at the three lines of defense (3LoD)—that is, control implementation, control management and oversight, and control assessment.

AWS can aggregate insights on technology risks, which are fundamental data points to advising a company’s audit committee and risk committee. The following sections describe the challenges companies face throughout four M&A and divestitures phases, and where AWS can help:

Strategy and target identification phase

During the formulation of the thesis (the argument of the buyer’s opportunity—including gross profit, top line revenue, asset value, and strong customer basis—should they choose to complete the deal) and target identification, potential buyers have less visibility into the security and compliance posture of the target company. This reduced visibility is attributed to various reasons, such as concerns about intellectual property and inadvertent disclosures of regulatory privileged and confidential information.

Asset management has been a known challenge for companies that are geographically dispersed and that have many third-party connections. This makes the technology asset identification process harder, especially when determining interrelationships among systems that might be affected by the divestiture. AWS Systems Manager Inventory provides visibility into a customer’s Amazon Elastic Compute Cloud (Amazon EC2) and on-premises computing environment on the seller’s side. AWS account structure and AWS Organizational Units (OUs) are fundamental during this process, because OUs can be created to park accounts and resources for businesses that are scoped to be sold. In addition, AWS provides assistance in the following ways:

  • The decoupling nature of AWS technology makes it easier for executives to select the businesses targeted for the divestiture.

  • In an effort to make diligence easier for the buyer, AWS can incorporate clear value of the technology advancement and quantify the technology risk in the value realization.

  • AWS Professional Services can perform AWS security assessments to enable strategic envisioning, regulatory risk predictions, business value and threat analysis, risk reduction, acceleration of results, and avoidance of obstacles with security and compliance.

  • For customers who are aspiring for regulatory attestations, such as Payment Credit Card Industry (PCI) or Health Information Trust Alliance Common Security Framework (HITRUST CSF), AWS Security Assurance Services, LLC (AWS SAS) is a fully owned subsidiary of Amazon Web Services that helps AWS customers with regulatory readiness.

Due diligence and deal fulfillment phase

Industry best practices advise the buyer to complete the following steps:

  • Perform an overall evaluation of the security governance and operating model.

  • Evaluate investments on the security program and automation (or lack of automation).

  • Evaluate the effectiveness of the risk management programs and board-level oversight on risks that affect business goals and regulatory posture.

  • Review previous security incidents and non-compliance citations on regulatory frameworks pertaining to privacy.

The security, risk, and compliance advisory services offered by AWS Professional Services can help customers scope regulatory frameworks that are applicable to the industry, geographic region, and product or service. They can also perform an overall evaluation of the risk and operational readiness. This evaluation includes an in-depth architecture review and risk assessments, as well as help with remediation plans. Customers can choose to deploy AWS services such as Amazon Inspector as an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Integration phase

Merging companies incur assimilation challenges, which affect the technology governance and operating models.

Technology governance is the foundation of security management. Consistent procedural controls by employees complement the technical controls that are embedded within corporate systems. AWS Professional Services offers governance at scale to help customers establish a governance structure and create an operating model that mitigates identified risks with the customer’s office of change management.

For customers who don’t have an office of change management, AWS can help set one up. As part of remediation plans, customers benefit from AWS expertise to implement controls based on their regulatory landscape, address security weaknesses, and enable technical teams to scale with security automation and tools to maintain continuous monitoring.

Post-transaction value creation phase

In this phase, companies need to be able to scale and grow their business while continuously managing their risks and new regulatory posture. AWS helps customers automate and scale their technical capabilities to meet their strategic goals, and helps ensure that the company’s technology posture aligns with their business strategy. AWS Security Hub aggregates, organizes, and prioritizes security alerts or findings from multiple AWS services and AWS Partner solutions. In addition, AWS Config enables customers to assess, audit, and evaluate their configurations of AWS resources in a continuous manner.