February 9, 2021 By Adeeb Rashid 4 min read

Staying vigilant through each phase of a mergers and acquisitions (M&A) process can help businesses overcome cloud threats.

Threat actors have hit victims during M&As in the past, such as the data breach that affected more than 500 million customers in 2018. Such cases force businesses to look into data exposure before and after M&As, and not merely during the process. Therefore, it’s best to have adequate cloud protection measures in place at each stage of an M&A. Take a look at the three stages of an M&A transaction and the cloud security needs throughout the M&A life cycle.

Why Do Cyber Threat Actors Target Mergers and Acquisitions?

Businesses concentrate on building up value while cloud defense takes a back seat during an M&A. This means they may be more open to breaches while they’re otherwise occupied. This is one of the major ways how cybersecurity impacts business in a time of change. Besides the data related to the entity being acquired, threat actors can break into the business buying it, too. Such attacks offer the potential for both short-term and long-term rewards for malicious actors.

Three Stages of a Mergers and Acquisitions Process

A mergers and acquisitions deal valuation consists of three phases: pre-acquisition, acquisition and post-acquisition. It is critical to find the potential risks at each stage of the transaction. However, studies show that business leaders tend to wait for the completion of due diligence before checking on their data.

Source: ibm.com

Phase 1: Pre-Acquisition

Whenever two business entities merge, chief information officers face a big increase in the number of cloud apps to monitor and regulate. It also becomes more urgent to protect this data to ensure proper compliance.

In this stage of the mergers and acquisitions process, you should protect the sensitive data in your corporate cloud storage. A large proportion of corporate files in the cloud, including personally identifiable information (PII), source codes and other critical data, may violate data policies at this stage. Uploading financial data or customer data into cloud apps that are not ready for enterprise could lead to severe problems.

Businesses can use secure and standard cloud storage solutions to ensure a master depository for both entities during the mergers and acquisitions process. It can prevent employees from using unsafe or unsanctioned cloud apps to store and share data, thereby preventing any untoward data leakage at this early stage.

Next, assess the safety of your cloud data and storage. This provides a close look into the target’s controls, processes, digital threats and cloud risks. It also helps let you know all major governance issues you might face and that any potential risks are closed off prior to the transaction.

Another important step is to ensure you’re complying with regulations. Undertaking a gap analysis with the target company is a vital task at this stage. It covers both companies from a regulatory standpoint and gives confidence to the acquirer that the target is doing what they need to do. Both target and acquirer also need to establish where the jurisdiction of the cloud policy extends, to best ensure any data crossing borders complies with regional policies.

Phase 2: Acquisition

If you take care of digital risks during the first phase of the mergers and acquisitions process, the job becomes much more comfortable at the second. By this stage, businesses should have a complete picture of all the data stored in the cloud, more so if the merger is between two financially related entities.

First, monitor employees’ usage of cloud storage apps. Monitor it within apps used by employees, too. It is a good idea to deploy a common platform across both parties to the deal, thereby allowing the IT security teams to monitor the transit data. It also helps them keep a close eye on what employees click on, with special attention paid to the unsanctioned apps.

Controlling the entire digital landscape is crucial at this stage. Ecosystems mostly work with other master apps in order to offer better solutions. For example, secure document signing apps could synchronize with customer relationship management or product management tools to make that task more efficient.

IT security teams should closely monitor which apps have been brought into the business during the mergers and acquisitions process without permission. They should set up a strict policy for controlling the use of such apps.

Phase 3: Post-Acquisition

Don’t let your guard down even after the mergers and acquisitions process is completed. As the deal comes together, the pot doubles in size, and managing it gets more complex.

At this point, one single storage app should suit the business across the board. It is often required as per regulatory needs and for responsible employee usage, as it will put a check on risky behaviors.

Keep an eye on risk and data management even after the merger. Your teams may be at risk of being overwhelmed by a large amount of data after the merge. If not handled well, this could open newer attack surfaces for threat actors to exploit. 

Once a transaction has been closed, the work you did in the very first stage may bring on a flurry of change due to the issues discovered along the way. For this reason, you’ll need a strategy that keeps cloud safety in mind as you adopt and integrate new tech. A proactive perspective toward new tech will also engage wider stakeholder groups and highlight chances to add value.

Keeping Cloud Security Top of Mind

Mergers and acquisitions can bring inherent cloud risks. It is ideal for the industry to look into such issues right from the start to prevent anything from falling through the cracks. Bringing together the cloud storage needs from the merging entities is always challenging. However, adopting the right policies and procedures can help mergers and acquisitions go more smoothly.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today