Mergers and acquisitions are often brimming with ambition, opportunity and innovative thinking, but they’re also breeding grounds for risk. The focus of merger and acquisition (M&A) risk identification and evaluation is usually centered around financial, operational and contractual risk. However, there is an increasing need to review the often-overlooked information security and compliance risk associated with M&A.
At the beginning of 2020, M&A activity declined due to the economic stasis caused by the pandemic. Many non-essential businesses closed their doors altogether and went into hibernation, with countless others switching to remote working as they tried to keep things moving. However, by the end of the year, once the dust began to settle, there was a 90% surge in the number of mergers and acquisitions. With 2021 already shaping up to be one of the busiest M&A years on record, it’s more important than ever to draw attention to the security and compliance risks inherent to the process.
The Cost of Overlooking Risk During the M&A Process
In 2015, the hotel group Marriott moved to successfully acquire Starwood Hotels to grow its portfolio. Three years later, in 2018, a cyber-attack was detected, which exposed more than 200 million guest records that had started in 2014, one year before the acquisition took place.
The Information Commissioner’s Office (ICO) initially fined Marriott almost £100 million, despite the breach starting before the business acquired Starwood Hotels. According to the ICO, “Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”
Security and compliance due diligence should be seen as an investment by acquiring organizations, where if overlooked, the cost both financially and reputationally can be catastrophic.
Mitigating Risk in the M&A Process
Pre M&A
The security posture of a potential target acquisition should be reviewed as early in the M&A process as possible, ensuring the right experts are involved. High-level security assessments may be available for review as part of the screening phase of the M&A, and publicly available information such as disclosed security breaches via news articles and public filings are also valuable places to start.
During M&A
Due diligence is critical to the mitigation of risk in M&A. The level of investigation required is driven by the risk profile, which can increase depending on the business of the target organization. If it is in a new business area and/or geographic location, a smaller organization is likely to have less mature information security policies and procedures. Due diligence activities often include:
- Data asset inventory: Establishment of a data asset inventory to understand the amount of data a target organization has, where it is stored and how it is transferred can be leveraged by auto-discovery tools. It can help to identify potential information security risks, and it’s useful for planning integration strategies that will be required after the deal is completed. This can also include regulatory reviews for compliance with the protection of information, including GDPR and HIPPA.
- Detailed security assessments: Security risk assessments should be completed of the target organization’s infrastructure, networks, systems and policies to identify security and compliance gaps and consider any remediation that may be required. Typically, these are aligned to industry standards such as NIST and ISO 27001 such that the organization can map risks into its own internal compliance program.
- Third-party risk evaluation: A review of the target organization’s third-party risk management program should be completed, including the evaluation of key suppliers and partners to ensure robust compliance and security practices are proactively assessed and continuously monitored, reducing the introduction of risk through the third-party landscape.
Post M&A
A common yet overlooked challenge during the M&A process is the consolidation of security and compliance processes. The organization will need to decide whether to go with a “best of breed” approach or merge existing processes and technology and bridge any identified gaps. An integration plan should be prepared before the deal is completed and ready to roll out on day one. In addition, security monitoring and vigilance should be maintained as there may be increased threats during the convergence of infrastructure and networks once a deal is finalized.
However, suppose a business chooses to approach a merger or acquisition. In that case, it must carry out holistic due diligence before, during and after the M&A process to understand risks and establish relevant mitigation strategies. Although this can be a challenging and time-consuming activity, fines associated with non-compliance to data protection legislation can be far costlier. Mergers and acquisitions can also provide valuable windows to implement new processes and technologies that mitigate security and compliance risks inherent to the M&A process and actively improve the newly formed organization’s risk posture.