Mergers create greater security risk

Companies should use a risk-based approach to merger review

Corporate mergers and acquisitions (M&A) can be fraught with risks related to financial matters, company culture, personnel, IT systems integration and other areas.

Security risks, both cyber and physical, certainly belong on the list of concerns. And with the ongoing shortage of professionals who are expert in various aspects of data protection—coupled with the seemingly endless stream of reports about data breaches and other security threats—this has become an even bigger concern for companies that are considering or in the midst of M&A deals.

“Any M&A activity involves an assumption of risk,” says Ariel Silverstone, vice president of security strategy, privacy and trust at GoDaddy, a provider of domain name registrations.

Among the issues Silverstone has looked at during M&A activity are regulatory compliance, security framework compatibility and potentially different business risks presented by the new organization. “Examples include physical access control, geographic data center location, cloud use model, exposure after breach, and organizational placement of the security function,” he says.

[ ALSO ON CSO: How to make mergers and acquistions work ]

A recent report by business and technology consulting firm West Monroe Partners found that businesses lack qualified cyber security talent during an M&A. According to the study, a majority of companies (80 percent) said cyber security issues have become highly important in the M&A due diligence process.

But more than one third (40 percent) of acquiring businesses said they had discovered a cyber security problem at an acquisition after a deal went through, indicating that standards for due diligence remain low, the report said.

The lack of skilled information security talent seemed to be the leading cause, as 32 percent of acquirers claimed not enough qualified people were involved in the cyber security diligence process in recent deals. To conduct the study, West Monroe commissioned Mergermarket to interview 30 North America-based senior M&A practitioners from the healthcare, manufacturing and distribution, banking and high-tech sectors.

Many of those queried for the report said compliance problems are one of the most common types of cyber security issues uncovered during due diligence, and a lack of comprehensive security architecture is another common issue.

“In the realm of M&A, concerns about cyber security are becoming a critical issue when companies target acquisitions,” the report notes. “A company’s cyber security infrastructure—or lack thereof—can affect the deal price, and at times determine whether a potential acquirer goes through with a deal at all.”

For companies looking to acquire another business, one of the first things to do as part of due diligence is thoroughly investigate and understand the organization they’re intending to acquire.

“That includes not only the obvious—pending claims and reported breaches, for example—but also what the target [company] may not realize is deficient,” says Behnam Dayanim, a partner in the Washington, D.C. office of law firm Paul Hastings LLP, and global co-chair of its Privacy and Cybersecurity practice.

“Privacy and security issues should be an integral part of every M&A deal,” Dayanim says. “Beyond simply requiring a representation, which amazingly some still do not require, acquirers and merger partners should understand what regulatory regimes apply to the counterparty’s business.”

[ RELATED: Inherited risk: The downside of mergers and acquisitions ]

They should also review all security policies and procedures and talk directly with the CISO or other executive officer responsible for security, to gain insight into the degree of sophistication of the organization’s security program, Dayanim says.

Companies that are anticipating a potential acquisition would do well to audit the target company’s information security compliance status. “That may involve external validation, but at a minimum should include a review of existing policies and procedures and an evaluation of current resources,” Dayanim says.

The pre-acquisition evaluation should include gathering security intelligence by using a third-party and directing a security questionnaire to the IT security staff of the target company, says

David Barton, CISO at security company Forcepoint said that includes identifying the “crown jewels” of the company such as intellectual property and financial data and making sure it’s adequately protected.

It’s also important to make sure the company has proactive employee communications in place regarding areas such as phishing and data sharing, Barton says.

As the transaction moves forward, the acquiring company should take steps to remediate any vulnerabilities that have been found, and evaluate both companies security policies to determine gaps and differences, Barton says.

Having people in place with the right security skills and knowledge of M&A issues is ideal. But hiring cyber security talent to help when an acquisition is imminent is too late.

“It is unrealistic to expect a company to be able to bring in a ‘white knight’ who can revamp a deficient security situation,” Dayanim says. “Nonetheless, if a company finds itself in that situation, it would be prudent to hire capable staff and, most likely, retain external assistance to put its house in as good an order as possible before the acquisition.”

Upgrading talent before the completion of an M&A activity “is difficult at best,” Barton says. “In most cases, the security teams are not informed of the M&A activity until it’s near the completion of the merger.”

Some organizations approach the new threat landscape only after the merger is complete, Silverstone says. “This implies a possible impairment in the value of the acquired/merged organization,” he says.

A good practice is to have the information security function—or at least a prepared checklist—before the closure of the deal. “I've used that model successfully, which resulted, at times, in deal dollars put in escrow towards mitigation of discovered security issues post deal closure,” Silverstone says.

Companies should use a risk-based approach to merger review, Silverstone says. “It would be good to have a security-focused project manager on board, and a person familiar with unique risks involved in the acquired company's business,” he says.

When such skills are not internally available, a reputable third party should conduct a risk assessment relevant to the acquiring company's framework and to the acquired company's market, such as financial services, Silverstone says.

The role of senior security executives in M&A transactions will vary from deal to deal, based on the degree of sensitivity of the industry and data to be protected, the target company’s history including whether it has experienced prior breaches or problems, the clarity of the target’s existing policies and procedures, and other factors, Dayanim says.

“Generally, the CSO/CISO of the acquiring company will only become directly involved if requested by the deal team,” Dayanim says. “That involvement may consist of review of key documents, a conversation with his or her counterpart at the target or a more extensive investigation of the target.”

The level of involvement of senior security executives in M&A transactions also depends on the comparative size of both organizations, Silverstone says. “The CSO should at least be responsible for consulting the business throughout the process, and review reports before these are submitted to the board, to the CFO or to the M&A function,” he says.

The CSO and/or CISO should be included in any M&A activity from the beginning, Barton says. “The CSO should be assigned to take the lead on all security-related issues for a merger or acquisition,” he says. “This lets them prepare for the eventual connection of the two merger company’s networks. Too often those networks are connected without regard to any potential security risks.”


Join the CSO newsletter!

Error: Please check your email address.

More about ArielCSOForcepointGoDaddySilverstoneWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts