Parent Firm Discovers Unsecured Subsidiary Network During Routine Penetration Testing

The Challenge

During an annual penetration test, the cybersecurity team at Northgate Financial Group identified a serious oversight. What began as a routine assessment revealed gaps in subsidiary oversight and network governance.

Northgate’s Security Operations Centre commissioned the test to validate perimeter defenses and maintain compliance with PIPEDA and financial industry standards. Midway through the engagement, testers observed unusual outbound traffic to an IP range associated with Summit Lending, a mortgage subsidiary acquired two years earlier.

Further scanning found that Summit’s network ran on legacy configurations with no VPN segmentation or centralized authentication. Several servers used outdated operating systems and default administrative credentials. The subsidiary operated almost autonomously, outside Northgate’s Active Directory and without SIEM monitoring.

Within hours, testers demonstrated potential lateral movement. A phishing payload on Summit’s unsecured mail server could provide internal access and a pivot into the parent environment. This exposure put client financial data and personal information at risk and raised clear concerns under PIPEDA.

Incident responders isolated the subsidiary network. Early analysis pointed to acquisition integration gaps and a lack of centralized asset inventory. A straightforward business expansion had become a data liability. Operations were disrupted, audits were paused, and stakeholders requested assurance on risk exposure. No breach was confirmed, but the incident highlighted how an overlooked connection can become the weakest link in a complex ecosystem.

Our Solution

As the engaged risk advisory partner, we delivered a comprehensive technical security and testing program focused on immediate containment and long-term integration.

  • Performed a forensic-level vulnerability assessment of the subsidiary network to identify authentication gaps, misconfigurations, and legacy systems.
  • Implemented network segmentation and unified identity management by bringing the subsidiary under the parent’s directory services and SOC visibility.
  • Established secure configuration baselines aligned to the NIST Cybersecurity Framework and ISO/IEC 27001 controls, while mapping requirements to PIPEDA and OSFI Guideline B-13.
  • Introduced a Post-Acquisition Cybersecurity Integration Framework (PACIF) with standardized checklists for onboarding acquired entities.
  • Deployed automated asset discovery and continuous monitoring to provide real-time visibility.
  • Delivered targeted training for subsidiary IT staff and standardized incident reporting across business units.

The Value

Within three months, Northgate realized measurable benefits:

  • External attack surface exposure reduced by 98%, verified by follow-up testing.
  • Full alignment with PIPEDA and OSFI B-13 expectations, which lowered regulatory and audit risk.
  • SOC coverage expanded to all subsidiaries and average detection and response times improved by 60%.
  • Increased stakeholder confidence through board reporting and assurance artifacts.
  • Estimated $1.2M CAD in risk avoidance when considering potential breach response, legal costs, and downtime.

Implementation Roadmap

Phase 1: Discovery and Containment (Weeks 1–2) Phase 2: Analysis and Policy Alignment (Weeks 3–4) Phase 3: Remediation and Integration (Weeks 5–8) Phase 4: Governance and Improvement (Weeks 9–12)

  • Mapped parent and subsidiary networks.
  • Isolated unsecured systems and blocked lateral movement.
  • Catalogued legacy servers, default credentials, and unauthorized connections.
  • Conducted detailed penetration testing and vulnerability scanning.
  • Mapped findings to PIPEDA, OSFI B-13, and NIST controls.
  • Presented a board-level risk assessment with impact and likelihood scoring.
  • Unified access controls under centralized directory services.
  • Applied secure baselines and deployed EDR across endpoints.
  • Implemented continuous monitoring and integrated alerts into the SOC.
  • Rolled out PACIF and standardized acquisition onboarding.
  • Ran cross-organization training and incident simulations.
  • Re-tested, validated improvements, and issued compliance attestation.