Mitigating Merger and Acquisition Risks

Bringing together two organizations is rarely a straightforward task. There are so many factors to consider from structure and staff to tools, cultural idiosyncrasies and beyond. Lengthy and in-depth due diligence is required to understand how all the pieces work or fit together.

Sadly, the same rigor isn’t always applied to cybersecurity. According to recent reports, it is estimated that four in ten acquiring companies engaged in a merger or acquisition will discover a cybersecurity problem during the integration of the acquired company. With the first nine months of 2018 alone resulting in a record $3,3 trillion in merger activity, we can expect trouble ahead.

This is a massive oversight. Cyber-attacks are now the biggest concern for businesses in Europe, Asia and North America, according to a recent study by the World Economic Forum.

Business-related cybersecurity risks are not helped by the many and varied IT complexities organizations face, such as the integration of legacy infrastructures, the rush to embrace digital transformation, the challenges surrounding shadow IT, as well as poor employee data management practices. All too often, these factors are overlooked when two organizations become one. 

Risks specific to each party aren’t properly interrogated or understood in isolation, let alone how they will interact post-merger or acquisition. Here are some key considerations to avoid getting caught out.

Ensure technology is part of the negotiations
Technology must be on the agenda for any talks. Details to consider should include the industry quirks, geographic footprints, and the nature of products and services provided. It is vital for companies to investigate all relevant cybersecurity and data privacy risks, accurately charting their future evolution and cross-organizational impact.

Transparency is key. Acquisition targets should be evaluated with the same rigor as any external supplier to the business. What security policies do they have in place? How are staff certified or vetted? What industry standards do they comply with? Always dig deep and work through all prior cybersecurity incidents, including successful and attempted data breaches. Understand how such incidents were responded to. Only then can all parties be sure they are adequately covered for a safe and secure union. Not knowing about or understanding previous and extant security compromises is a major risk.

Consider information use in a post-GDPR world
It is more important than ever to fully grasp the extent to which a selling company gathers and uses personal information. This is especially true for customer-focused and highly sensitive proprietary data. Make sure all commitments and representations made by the selling company to customers in relation to privacy and the handling of personal are reviewed.

Depending on the residency of the customer, there is a strong probability that business security policies must be aligned with the EU GDPR, as well as the laws of the country the data is held in. It is particularly important to determine if additional consents are needed after merger or acquisition activity. Past failings or a poor network management history can now result in significant fines.

Appoint someone to oversee IT infrastructure alignment
Waste no time in ascertaining the reach and limitations of both parties’ existing security programs. Once the deal has been concluded and the relevant documentation signed, it is crucial to appoint someone to oversee IT infrastructure alignment. Understanding the network, system architecture and data flows of both companies is key to avoiding headaches further down the line.

The process should entail considering what sensitive data is being held, where it exists and ensuring adequate measures are in place to protect it. At every juncture, it is essential to remind all staff to exercise caution when it comes to data privacy and cybersecurity.

Planning ahead
There is no getting around it. Hackers typically view mergers and acquisitions as a prime opportunity for exploits. A lot of variables are at play and in transition. Attack surfaces instantly widen, and oversights become blurred as organizations suddenly sprawl off in new directions.

Cybersecurity should always be prioritized from the outset. A long-term plan with buy in from both businesses is vital. It is important to act quickly, and pressure will be on for business to commence. It is all too easy to become apathetic to, for example, the complexities of reviewing and consolidating security tools and practices across entire application portfolios. Getting buy in for thorough cybersecurity reviews across both businesses from day one can be tough but it is the only safe way ahead.

What’s Hot on Infosecurity Magazine?