May 26, 2016 By Larry Loeb 2 min read

When two organizations merge, participants may be focused on the operational challenges of integrating two different computer systems. While this is an important area of focus, there are other merger considerations that should be top of mind — namely, the systems’ security.

There are many factors to assess in this area, although many are not obvious. While each of the systems used by the businesses may function just fine by themselves, how they interact may cause unexpected security flaws.

Basic Merger Considerations

The due diligence necessary for a merger to succeed cannot be treated lightly. An audit team must go beyond simple checklists and dig into the specifics of the situation.

For example, a checklist security approach might ask whether certain data is encrypted, and a positive response would be satisfactory. A deeper audit will find out how it is encrypted, where the encryption starts and ends in the process and how it is verified operationally. The specifics of how things happen in a system is crucial to determining how things will function after the merger is complete.

Simply enumerating the risks that may be present in both systems is not enough. Those risks must be mitigated before the two networks are connected, but risks that may evolve after the fact must be considered as well. What is secure in separate systems may not be secure after the two are connected; the details and the specifics will matter a great deal.

The ways that each organization uses information should also be addressed. What is OK for one party may not pass muster with the other. This includes not just technology, but the culture regarding data use and security. Acceptable activities and access levels have to be compatible or there will be problems aplenty.

While a security audit is usually not a deal breaker, the actual costs of a merger can be directly affected by its findings. It’s always best to know what costs must be endured to complete a deal.

Don’t Forget Third-Party Contracts

Third-party contracts must also be examined. What services are now being provided? How will a merger affect them? Will the third-party SLA need to be renegotiated? Will the cost of the services change?

These and other similar points must be evaluated since they can directly affect the costs associated with the merger.

Personnel Can Be a Risk, Too

Personnel in administrative or sensitive positions that work with computer systems should have their credentials validated. A background check should also be performed to determine whether those employees pose a potential risk.

If the merger might involve laying off personnel with system access, the possibility of revenge or sabotage must be entertained. Upper-level management is responsible for preventing these actions from malicious insiders. They need to proactively mitigate any weak areas of security that could be exploited.

Look to the Past

Acquirers must learn whether there have been past breaches that were not made public. If so, what information was compromised? The acquiring company takes on responsibility for that data — and this may pose a significant cost, especially when dealing with personally identifiable information. Such situations may lead to costly lawsuits that occur post-merger.

Mergers can be fraught with problems. Thinking about cybersecurity from the beginning and through all steps helps avoid problems that might derail a positive outcome.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today