Merger Considerations Must Involve Cybersecurity

When two organizations merge, participants may be focused on the operational challenges of integrating two different computer systems. While this is an important area of focus, there are other merger considerations that should be top of mind — namely, the systems’ security.

There are many factors to assess in this area, although many are not obvious. While each of the systems used by the businesses may function just fine by themselves, how they interact may cause unexpected security flaws.

Basic Merger Considerations

The due diligence necessary for a merger to succeed cannot be treated lightly. An audit team must go beyond simple checklists and dig into the specifics of the situation.

For example, a checklist security approach might ask whether certain data is encrypted, and a positive response would be satisfactory. A deeper audit will find out how it is encrypted, where the encryption starts and ends in the process and how it is verified operationally. The specifics of how things happen in a system is crucial to determining how things will function after the merger is complete.

Simply enumerating the risks that may be present in both systems is not enough. Those risks must be mitigated before the two networks are connected, but risks that may evolve after the fact must be considered as well. What is secure in separate systems may not be secure after the two are connected; the details and the specifics will matter a great deal.

The ways that each organization uses information should also be addressed. What is OK for one party may not pass muster with the other. This includes not just technology, but the culture regarding data use and security. Acceptable activities and access levels have to be compatible or there will be problems aplenty.

While a security audit is usually not a deal breaker, the actual costs of a merger can be directly affected by its findings. It’s always best to know what costs must be endured to complete a deal.

Don’t Forget Third-Party Contracts

Third-party contracts must also be examined. What services are now being provided? How will a merger affect them? Will the third-party SLA need to be renegotiated? Will the cost of the services change?

These and other similar points must be evaluated since they can directly affect the costs associated with the merger.

Personnel Can Be a Risk, Too

Personnel in administrative or sensitive positions that work with computer systems should have their credentials validated. A background check should also be performed to determine whether those employees pose a potential risk.

If the merger might involve laying off personnel with system access, the possibility of revenge or sabotage must be entertained. Upper-level management is responsible for preventing these actions from malicious insiders. They need to proactively mitigate any weak areas of security that could be exploited.

Look to the Past

Acquirers must learn whether there have been past breaches that were not made public. If so, what information was compromised? The acquiring company takes on responsibility for that data — and this may pose a significant cost, especially when dealing with personally identifiable information. Such situations may lead to costly lawsuits that occur post-merger.

Mergers can be fraught with problems. Thinking about cybersecurity from the beginning and through all steps helps avoid problems that might derail a positive outcome.


Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other...