Corporate mergers and acquisitions (M&A) can be fraught with risks related to financial matters, company culture, personnel, IT systems integration and other areas.
Security risks, both cyber and physical, certainly belong on the list of concerns. And with the ongoing shortage of professionals who are expert in various aspects of data protection—coupled with the seemingly endless stream of reports about data breaches and other security threats—this has become an even bigger concern for companies that are considering or in the midst of M&A deals.
“Any M&A activity involves an assumption of risk,” says Ariel Silverstone, vice president of security strategy, privacy and trust at GoDaddy, a provider of domain name registrations.
Among the issues Silverstone has looked at during M&A activity are regulatory compliance, security framework compatibility and potentially different business risks presented by the new organization. “Examples include physical access control, geographic data center location, cloud use model, exposure after breach, and organizational placement of the security function,” he says.
[ ALSO ON CSO: How to make mergers and acquistions work ]
A recent report by business and technology consulting firm West Monroe Partners found that businesses lack qualified cyber security talent during an M&A. According to the study, a majority of companies (80 percent) said cyber security issues have become highly important in the M&A due diligence process.
But more than one third (40 percent) of acquiring businesses said they had discovered a cyber security problem at an acquisition after a deal went through, indicating that standards for due diligence remain low, the report said.
The lack of skilled information security talent seemed to be the leading cause, as 32 percent of acquirers claimed not enough qualified people were involved in the cyber security diligence process in recent deals. To conduct the study, West Monroe commissioned Mergermarket to interview 30 North America-based senior M&A practitioners from the healthcare, manufacturing and distribution, banking and high-tech sectors.
Many of those queried for the report said compliance problems are one of the most common types of cyber security issues uncovered during due diligence, and a lack of comprehensive security architecture is another common issue.
“In the realm of M&A, concerns about cyber security are becoming a critical issue when companies target acquisitions,” the report notes. “A company’s cyber security infrastructure—or lack thereof—can affect the deal price, and at times determine whether a potential acquirer goes through with a deal at all.”
For companies looking to acquire another business, one of the first things to do as part of due diligence is thoroughly investigate and understand the organization they’re intending to acquire.
“That includes not only the obvious—pending claims and reported breaches, for example—but also what the target [company] may not realize is deficient,” says Behnam Dayanim, a partner in the Washington, D.C. office of law firm Paul Hastings LLP, and global co-chair of its Privacy and Cybersecurity practice.
“Privacy and security issues should be an integral part of every M&A deal,” Dayanim says. “Beyond simply requiring a representation, which amazingly some still do not require, acquirers and merger partners should understand what regulatory regimes apply to the counterparty’s business.”
They should also review all security policies and procedures and talk directly with the CISO or other executive officer responsible for security, to gain insight into the degree of sophistication of the organization’s security program, Dayanim says.
Companies that are anticipating a potential acquisition would do well to audit the target company’s information security compliance status. “That may involve external validation, but at a minimum should include a review of existing policies and procedures and an evaluation of current resources,” Dayanim says.
The pre-acquisition evaluation should include gathering security intelligence by using a third-party and directing a security questionnaire to the IT security staff of the target company, says
David Barton, CISO at security company Forcepoint said that includes identifying the “crown jewels” of the company such as intellectual property and financial data and making sure it’s adequately protected.
It’s also important to make sure the company has proactive employee communications in place regarding areas such as phishing and data sharing, Barton says.
As the transaction moves forward, the acquiring company should take steps to remediate any vulnerabilities that have been found, and evaluate both companies security policies to determine gaps and differences, Barton says.
Having people in place with the right security skills and knowledge of M&A issues is ideal. But hiring cyber security talent to help when an acquisition is imminent is too late.
“It is unrealistic to expect a company to be able to bring in a ‘white knight’ who can revamp a deficient security situation,” Dayanim says. “Nonetheless, if a company finds itself in that situation, it would be prudent to hire capable staff and, most likely, retain external assistance to put its house in as good an order as possible before the acquisition.”
Upgrading talent before the completion of an M&A activity “is difficult at best,” Barton says. “In most cases, the security teams are not informed of the M&A activity until it’s near the completion of the merger.”
Some organizations approach the new threat landscape only after the merger is complete, Silverstone says. “This implies a possible impairment in the value of the acquired/merged organization,” he says.
A good practice is to have the information security function—or at least a prepared checklist—before the closure of the deal. “I've used that model successfully, which resulted, at times, in deal dollars put in escrow towards mitigation of discovered security issues post deal closure,” Silverstone says.
Companies should use a risk-based approach to merger review, Silverstone says. “It would be good to have a security-focused project manager on board, and a person familiar with unique risks involved in the acquired company's business,” he says.
When such skills are not internally available, a reputable third party should conduct a risk assessment relevant to the acquiring company's framework and to the acquired company's market, such as financial services, Silverstone says.
The role of senior security executives in M&A transactions will vary from deal to deal, based on the degree of sensitivity of the industry and data to be protected, the target company’s history including whether it has experienced prior breaches or problems, the clarity of the target’s existing policies and procedures, and other factors, Dayanim says.
“Generally, the CSO/CISO of the acquiring company will only become directly involved if requested by the deal team,” Dayanim says. “That involvement may consist of review of key documents, a conversation with his or her counterpart at the target or a more extensive investigation of the target.”
The level of involvement of senior security executives in M&A transactions also depends on the comparative size of both organizations, Silverstone says. “The CSO should at least be responsible for consulting the business throughout the process, and review reports before these are submitted to the board, to the CFO or to the M&A function,” he says.
The CSO and/or CISO should be included in any M&A activity from the beginning, Barton says. “The CSO should be assigned to take the lead on all security-related issues for a merger or acquisition,” he says. “This lets them prepare for the eventual connection of the two merger company’s networks. Too often those networks are connected without regard to any potential security risks.”