February 9, 2021 By Adeeb Rashid 4 min read

Staying vigilant through each phase of a mergers and acquisitions (M&A) process can help businesses overcome cloud threats.

Threat actors have hit victims during M&As in the past, such as the data breach that affected more than 500 million customers in 2018. Such cases force businesses to look into data exposure before and after M&As, and not merely during the process. Therefore, it’s best to have adequate cloud protection measures in place at each stage of an M&A. Take a look at the three stages of an M&A transaction and the cloud security needs throughout the M&A life cycle.

Why Do Cyber Threat Actors Target Mergers and Acquisitions?

Businesses concentrate on building up value while cloud defense takes a back seat during an M&A. This means they may be more open to breaches while they’re otherwise occupied. This is one of the major ways how cybersecurity impacts business in a time of change. Besides the data related to the entity being acquired, threat actors can break into the business buying it, too. Such attacks offer the potential for both short-term and long-term rewards for malicious actors.

Three Stages of a Mergers and Acquisitions Process

A mergers and acquisitions deal valuation consists of three phases: pre-acquisition, acquisition and post-acquisition. It is critical to find the potential risks at each stage of the transaction. However, studies show that business leaders tend to wait for the completion of due diligence before checking on their data.

Source: ibm.com

Phase 1: Pre-Acquisition

Whenever two business entities merge, chief information officers face a big increase in the number of cloud apps to monitor and regulate. It also becomes more urgent to protect this data to ensure proper compliance.

In this stage of the mergers and acquisitions process, you should protect the sensitive data in your corporate cloud storage. A large proportion of corporate files in the cloud, including personally identifiable information (PII), source codes and other critical data, may violate data policies at this stage. Uploading financial data or customer data into cloud apps that are not ready for enterprise could lead to severe problems.

Businesses can use secure and standard cloud storage solutions to ensure a master depository for both entities during the mergers and acquisitions process. It can prevent employees from using unsafe or unsanctioned cloud apps to store and share data, thereby preventing any untoward data leakage at this early stage.

Next, assess the safety of your cloud data and storage. This provides a close look into the target’s controls, processes, digital threats and cloud risks. It also helps let you know all major governance issues you might face and that any potential risks are closed off prior to the transaction.

Another important step is to ensure you’re complying with regulations. Undertaking a gap analysis with the target company is a vital task at this stage. It covers both companies from a regulatory standpoint and gives confidence to the acquirer that the target is doing what they need to do. Both target and acquirer also need to establish where the jurisdiction of the cloud policy extends, to best ensure any data crossing borders complies with regional policies.

Phase 2: Acquisition

If you take care of digital risks during the first phase of the mergers and acquisitions process, the job becomes much more comfortable at the second. By this stage, businesses should have a complete picture of all the data stored in the cloud, more so if the merger is between two financially related entities.

First, monitor employees’ usage of cloud storage apps. Monitor it within apps used by employees, too. It is a good idea to deploy a common platform across both parties to the deal, thereby allowing the IT security teams to monitor the transit data. It also helps them keep a close eye on what employees click on, with special attention paid to the unsanctioned apps.

Controlling the entire digital landscape is crucial at this stage. Ecosystems mostly work with other master apps in order to offer better solutions. For example, secure document signing apps could synchronize with customer relationship management or product management tools to make that task more efficient.

IT security teams should closely monitor which apps have been brought into the business during the mergers and acquisitions process without permission. They should set up a strict policy for controlling the use of such apps.

Phase 3: Post-Acquisition

Don’t let your guard down even after the mergers and acquisitions process is completed. As the deal comes together, the pot doubles in size, and managing it gets more complex.

At this point, one single storage app should suit the business across the board. It is often required as per regulatory needs and for responsible employee usage, as it will put a check on risky behaviors.

Keep an eye on risk and data management even after the merger. Your teams may be at risk of being overwhelmed by a large amount of data after the merge. If not handled well, this could open newer attack surfaces for threat actors to exploit. 

Once a transaction has been closed, the work you did in the very first stage may bring on a flurry of change due to the issues discovered along the way. For this reason, you’ll need a strategy that keeps cloud safety in mind as you adopt and integrate new tech. A proactive perspective toward new tech will also engage wider stakeholder groups and highlight chances to add value.

Keeping Cloud Security Top of Mind

Mergers and acquisitions can bring inherent cloud risks. It is ideal for the industry to look into such issues right from the start to prevent anything from falling through the cracks. Bringing together the cloud storage needs from the merging entities is always challenging. However, adopting the right policies and procedures can help mergers and acquisitions go more smoothly.

More from CISO

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today