When two organizations merge, participants may be focused on the operational challenges of integrating two different computer systems. While this is an important area of focus, there are other merger considerations that should be top of mind — namely, the systems’ security.

There are many factors to assess in this area, although many are not obvious. While each of the systems used by the businesses may function just fine by themselves, how they interact may cause unexpected security flaws.

Basic Merger Considerations

The due diligence necessary for a merger to succeed cannot be treated lightly. An audit team must go beyond simple checklists and dig into the specifics of the situation.

For example, a checklist security approach might ask whether certain data is encrypted, and a positive response would be satisfactory. A deeper audit will find out how it is encrypted, where the encryption starts and ends in the process and how it is verified operationally. The specifics of how things happen in a system is crucial to determining how things will function after the merger is complete.

Simply enumerating the risks that may be present in both systems is not enough. Those risks must be mitigated before the two networks are connected, but risks that may evolve after the fact must be considered as well. What is secure in separate systems may not be secure after the two are connected; the details and the specifics will matter a great deal.

The ways that each organization uses information should also be addressed. What is OK for one party may not pass muster with the other. This includes not just technology, but the culture regarding data use and security. Acceptable activities and access levels have to be compatible or there will be problems aplenty.

While a security audit is usually not a deal breaker, the actual costs of a merger can be directly affected by its findings. It’s always best to know what costs must be endured to complete a deal.

Don’t Forget Third-Party Contracts

Third-party contracts must also be examined. What services are now being provided? How will a merger affect them? Will the third-party SLA need to be renegotiated? Will the cost of the services change?

These and other similar points must be evaluated since they can directly affect the costs associated with the merger.

Personnel Can Be a Risk, Too

Personnel in administrative or sensitive positions that work with computer systems should have their credentials validated. A background check should also be performed to determine whether those employees pose a potential risk.

If the merger might involve laying off personnel with system access, the possibility of revenge or sabotage must be entertained. Upper-level management is responsible for preventing these actions from malicious insiders. They need to proactively mitigate any weak areas of security that could be exploited.

Look to the Past

Acquirers must learn whether there have been past breaches that were not made public. If so, what information was compromised? The acquiring company takes on responsibility for that data — and this may pose a significant cost, especially when dealing with personally identifiable information. Such situations may lead to costly lawsuits that occur post-merger.

Mergers can be fraught with problems. Thinking about cybersecurity from the beginning and through all steps helps avoid problems that might derail a positive outcome.

More from Risk Management

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

6 Ways to Mitigate Risk While Expanding Access

3 min read - The World Economic Forum recently published a list of trends that are likely to shape the future of cybersecurity by 2030. The article names “progress in cybersecurity, but access must be widened” as a top trend. If these two goals seem contradictory, it’s because they are. Today’s business model requires that systems, people and devices have the ability to access data. But at the same time, that ability can enable a cyberattack that causes significant business disruption. Many businesses struggle to…

3 min read