Inherited risk: The downside of mergers and acquisitions

Mergers are good for business, but they can also come with unforeseen side effects

Enterprises going through mergers and acquisitions reap the benefits of new products and other assets, but they also acquire all of the threat vectors that have been targeting the other organization. In addition, new internal threats can arise as employees often fear job security when they learn of M&A deals.

2015 has been a year of abundant changes for many enterprises from private equity firms to telco companies.  

Trustwave, which announced the completion of its acquisition by Singapore Telecommunications Limited (Singtel) in late August, had itself acquired many companies in the past.

Steve Kelley, senior vice president of product and corporate marketing at Trustwave, said, “From an M&A perspective, I’ve never seen the industry as hot as it is today. One of the key reasons is that security has gone from being an IT risk to really a business risk, and that is what is driving a lot of the M&A activity.”

Businesses are beginning to understand that despite increased risks and growing threat vectors there is no perfect security. Kelley said, “We see risks shifting from IT to business risks. Irrespective of M&A, the greatest concern is data security.  An attack on a company is not going to cause issue until some type of data is compromised.”

The goal of many mergers and acquisitions, Kelley said, “Is protecting organizations against sensitive data loss, whether it’s credit card data, customer data, or intellectual property.”

Steve Kelley, senior vice president of product and corporate marketing at Trustwave

Enterprises around the world and across industries have been engaging in mergers and acquisitions in pursuit of growth and development, but they have also had to deal with unexpected security concerns.

James Robinson, director, risk and threat management, Optiv said, “It’s important to break a merger down into a couple different pieces.” Doing due diligence before engaging in conversations means asking the right questions.

Robinson said, “Companies should be asking, ‘What is their security program? How do they operate? Is it a good program or a security facade?’” These questions should be at the forefront of any acquisition conversation in order to avoid issues after a deal has closed.

When investigating the security program of an enterprise they might acquire, “Companies should be looking at the way that the operations exist, the documentation they have, their implemented policies and procedures, whether they have gone through their own certification process, and whether they’ve been validate by a third party,” said Robinson.

Knowing the difference between a good security program and a facade will help the acquiring company to identify the wrinkles and gaps in security. “If there is no security leader, no updated procedures, or they don’t have a program that is all encompassing, these are leading indicators that it’s more of a risk,” said Robinson.

While these glitches might be risky, they are not necessarily deal breakers as much as they are negotiation points. Being informed about the security programs of the acquiring company or company being acquired can help to mitigate some risks, but as enterprises work through the M&A process, new and unexpected threats may arise.

Robinson said, “Going into the next stages of M&A you are introducing more risk to the work force which could result in an internal adversary who isn’t in support of the acquisition.” Security leaders usually are not part of these discussions, but Robinson suggested that they should be to the extent that it is possible.

[ ALSO ON CSO: Cloud security sector leads cybersecurity mergers and acquisition report ]

Again, due diligence means looking at every potential risk, so knowing the normal attrition rate of the other company will help a security team focus on the potential of internal threats once the word gets out.

According to Robinson, a top concern for executives post-merger is over-communication. “Keep in mind that employees are not always going to feel as excited about a corporate deal as the executives. The goal for the security team is to reduce the amount of internal threats you have,” said Robinson.

Gary Alterson, senior manager for consulting services at Cisco, agreed that internal threats present a security challenge for enterprises going through M&As. “The relevance and volume and risk posture in terms of internal threats differs depending on the type of the business.”

Employees of smaller organizations might not feel as threatened as those in larger companies.

Alterson said, “If an organization purchases or is merging with another one for efficiency or industry consolidation, it is more likely to have a higher risk profile for internal threats because there is more likelihood of layoffs, which creates this feeling of winners and losers.”

Whether it’s a disgruntled employee or a criminal targeting an enterprise, when companies join forces with another, they also combine their security threats. Alterson said, “In addition to acquiring the assets, they are also acquiring the risk profile.  Often times different companies have different threat profiles. Especially if it is an Asian market or a new area.”

“The challenge for CISOs,” said Alterson, “Is that they might not have a full view onto threats in that particular market and might not have a full appreciation of the threats involved in that area and how to react to those threats.”

Mergers and acquisitions result in changes in strategies and operations that can also impact security. Alterson said, “One example is an organization that has been primarily involved in B2B operations and not consumer facing acquiring a unit that was more consumer facing.”

“As a result, that organization was acquiring different kinds of data such as personal information, credit card data, banking data that is often the target of a lot of mass distributed malicious code or identity feeds that a B2B wasn’t prepared to deal with before,”Alterson continued.

What they don’t know can hurt them, so enterprises need to understand the security risks involved in mergers and acquisitions.

Alterson said, “Sometimes organizations are buying a company for specific products or services. In those cases there should be deep dive that should include pen testing or application security testing. I would also recommend that organizations ask for a disclosure of past security breaches.”

That’s not a standard due diligence question you’ll get out of a finance person, said Alterson. But if security leaders aren’t part of the negotiating team, these types of questions need to come from the finance person, the CEO, or the legal representation.

Jonathan Thompson, founder and CEO, Rook Security, said, “One of the challenges is that the CISO is not involved early enough.” The security of the enterprise as well as the security of critical business transactions would benefit from companies widening their circle of trust to include the CSO or CISO in the early parts of M&A conversations.

Thompson said, “One of our global 500 clients is going through an international merger. They would frequently go to hotels to conduct meetings and would use the hotel Internet.” Because they were discretely conducting transactions, they were compromising the security of the enterprise by using unsecured WiFi.

When companies enter into mergers and acquisitions, it’s critical for both sides to understand the security policies and the ways in which they need to be intertwined into a new security architecture that protects critical data.

Join the CSO newsletter!

Error: Please check your email address.

More about CiscoCSOSingapore TelecommunicationsSingtelTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kacy Zurkus

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place