BLUF – Organisations entering or exiting a market/ region have a number of constraints and obstacles to navigate. Often overlooked are ones related to cyber – both from legal and dependency perspectives. Here is what to consider.
In the dynamic world of organisational survival, the utility of effectively entering or exiting a market (by region or sector) is paramount. Though the plans are often well thought-out and executed, considerations for cyber risk and impact are often absent. As you think about your exit/ entry strategies and M&A, it would be useful to understand the following:
Entrance Considerations – Whether entering a new region of untapped resources or market hungry for your products and services, understand the challenges of your digital reliance.
Legal/ regulatory requirements and reporting – As we are seeing in recent US laws, bills and recommendations (SEC, anyone?) government entities are looking for ways to secure their environments. Whether you’ve maturity assessments from regulators, incident (or potential incident) reporting to government entities, or CVE (and similar) attestations, the relative requirements are growing exponentially. Recognising what the country will require and resourcing it properly is key – as you may normally assume Legal or Compliance can handle it, but they don’t necessarily know cyber asks. Also it is good to know if there are potentials where government actions significantly affect systemic or regional in ways previously not considered, Russian RuNet as an example.
Ecosystems and relative dependencies – Determining business continuity or operational resilience relies on more than backing up internal processes, but continuing through disruption – regardless where it originates. Part of the understanding is seeing the ecosystems you will be embedded in. ISPs, MSPs, telecoms and every other supplier with digital footprints within your organisation may suffer a disruption. Their suppliers may be disrupted. You may not be affected by a supply chain attack, but they might – what is the disruptive impact? Understanding the larger digital ecosystem in the environment your organisation is entering may make a difference in expectations and builds. How far outside of your organisation should you look? Certainly look to who supports you, likely should have at least an idea who primarily supports them. This creates the argument for broader interpretation of business continuity alerting.
Data limitations – Some countries, whether for protection of citizens or desire for visibility (SORM comes to mind) require data gleaned for clients in country is housed within the country. Creating potential challenges, you will need to consider what is permissible and execution strategies within those bounds. If using cloud or tools located elsewhere, what will be the required and adjusted so data doesn’t travel in violation?
Exit Considerations – Fortunately, exiting a location or divesting part of a business there isn’t quite as challenging, however there still are a few considerations:
Less attack surface – Normally considered a pro, a downside presents itself – less visibility. Whilst many times your cyber triage/ IR/ intel teams wouldn’t be consulted on what was lost in exiting a market, depending on the geo/ function it may limit the observation scope they rely upon to mitigate threats. Some parts of the world or business provision test cases for defenders to see what they are up against. Not a reason to keep operating in non-profitable spaces, just consider resource allocation for tools and means for them to maintain visibility and clarity potentially lost.
Data retention regulations – The organisation may not have a clean exit due to regulatory data retention requirements. Depending on the type of data, there may be a several year requirement. If part of the organisation leaves, considerations for who will take on the data ownership and making certain the proper care is in place not to invoke a violation is essential. After all, who wants to look after what would be considered inconvenient, irrelevant data? If the whole organisation exits, either a beachhead office or third party caretaker may be needed.
As we see governments’ increased involvement and investment to keep their population safe from cyber threats, understanding and navigating around cyber considerations within market entrances and exits proves valuable elements of the overall strategies. Just as businesses depend on digital means, those means have additional requirements for care and safekeeping.