CyCognito Report Reveals Subsidiaries are Global Enterprise Achilles Heel

CyCognito, a leader in external attack surface management and attack surface protection, released results from a study that found most enterprises are overconfident and lack the proper visibility to manage subsidiary risk.

The study, commissioned by CyCognito and conducted by Osterman Research, surveyed enterprises with more than $1 billion in annual revenue and an average of more than 19 subsidiaries.

Mergers and acquisitions have become a standard path to rapid growth for many organizations. The global law firm White & Case reported that U.S. M&A deals reached a record high $1.27 trillion in the first half of 2021, a 324 percent increase compared to the same period in 2020.

“Parent companies acquiring subsidiaries through M&A activity not only onboard employees, technology and revenue, but also absorb the existing security posture of that subsidiary. This dramatically impacts the overall security of the larger organization and increases the attack surface,” said Michael Sampson, senior analyst at Osterman Research.

Closely related to the M&A process, divestitures present similar risks for organizations. When corporations divest their subsidiaries. Finding and assessing subsidiary risk, and understanding how assets connect to the parent, is fundamental to managing divestiture cyber risk.

Ironically, most organizations reported they perceived they were doing a good job managing subsidiary risk, yet 67 percent of respondents said their organization had experienced a cyberattack where the attack chain included a subsidiary, or they lacked the ability or information to rule out that possibility. Even more telling, nearly 50 percent of respondents reported they would not be surprised if a cyber-breach was to occur “tomorrow” at one of their subsidiaries.

“The findings from this study underscore just how serious subsidiary risk can be to larger organizations, including those in the automotive, manufacturing, retail, finance, government and healthcare sectors,” said Rob Gurzeev, CEO and founder of CyCognito. “As an extension of the parent organization, the subsidiaries’ security posture is not well evaluated as part of the overall attack surface, thereby creating an attractive target for attackers. As global organizations work to get a handle on risk, visibility into the security posture of their subsidiaries are paramount to stave off revenue and reputation crushing attacks.”

To download the report, visit: