August 27, 2019 By Rima Bose 4 min read

Most post-merger cybersecurity challenges arise when the acquiring company fails to fully assess the cybersecurity posture of its acquisition target. After an acquisition, all vulnerabilities and incidents are the responsibility of the acquiring company.

According to a Ponemon Institute survey, 59 percent of companies that experienced a data breach in 2018 noted that it resulted from a cyber incident at a third-party vendor or business partner. The third-party risk management problem is rooted in visibility — or, rather, the lack of it.

Unaccounted-for operational technology (OT) and internet of things (IoT) devices, human errors in integration, and configuration weaknesses are just a few examples of security gaps commonly found in merged companies. Let’s take a closer look at how these risks affect both acquired and acquiring companies and what organizations can do to maintain the security of all parties involved during mergers and acquisitions (M&A).

What Is the Cost of Poor M&A Security?

For acquiring companies, the costs associated with an acquisition target’s poor cybersecurity go beyond data breaches and can affect future IT and compliance investments. Theft of valuable intellectual property and trade secrets can have far-reaching consequences that may be revealed over time. A study from FireEye found that sophisticated hackers can infiltrate networks and stay undetected for an average of 206 days. Proprietary information about business strategies and sensitive data about personnel can be stolen over a period of several months.

Data breaches affect the valuation of an acquired company, and the price of a takeover deal may be cut when breaches are revealed. The acquired company may also be required to pay a penalty to settle fraud charges and lawsuits brought by unhappy shareholders.

What You Need to Know Before Merging IT Systems

Systems of internal control and processes ensure the appropriate level of risk management. Below are some M&A security measures an acquiring company should take before merging IT systems and networks:

  • Identify what types of cyber risks the target company faces based on its industry, geography, partners, products and services.
  • Study network and system architectures, including known hardware and software vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more.
  • Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, specially over data, that the acquired company may have with another company.
  • Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards and best practices in the industry.
  • Review the existing security policies and audit results with respect to processes (operations), people and technology.
  • Investigate any previous charges complaints or litigation around fraud, extortion, ransom, etc.

Conduct an M&A Security Assessment

When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, score the level of cyber risk and prioritize remediation activities accordingly. Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:

  • Review common organizational policies, including the information security policy, terms of use agreements, acceptable use policy and data classification policy.
  • Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks.
  • Implement network segmentation and network policies, which are crucial to realizing the synergy of the acquisition.
  • Review the acquired company’s risk strategy.
  • Review the state of IoT security.

Other M&A security factors to consider include IT security expenditures, future cybersecurity plans, certifications, regulatory compliance, cyber insurance policies, employee background verification and off-boarding, security operations centers (SOCs), cybersecurity awareness programs, vendor risk assessments, authentication and access controls, encryption, network monitoring, disaster recovery and business continuity planning, organizational structure, and the information security reporting chain.

Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:

  • Map the available systems and processes according to the Deming Cycle, also known as the PDCA Cycle, which stands for Plan, Do, Check, Act. Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
  • If the acquired company is not technologically mature, it may be prudent to employ a third party to conduct an independent security audit, which includes vulnerability scans, penetration tests and custom methods to assess the security posture of the acquired company.
  • Evaluate IT security personnel through security questionnaires and interviews to help security and business leaders distinguish between rockstar employees and weak links, if any.

Post-Merger Risk Management Considerations

If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But if you think that means you can ease up on security, think again.

Below are some security considerations you should keep in mind long after an M&A transaction is completed:

  • During and post-merger, implement granular controls for identity and access management (IAM), harden perimeter security, audit logs, and revise security processes and cybersecurity training.
  • Invest in automated risk management services to provide guidance and support for automating multiple risk management programs with a single, centralized IT governance, risk and compliance (GRC) platform.
  • Failure to address cybersecurity risks during M&A activity can result in damaged reputation and devaluation of the company.
  • When in doubt, remember to consult your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist and incident response playbooks.

More from Security Services

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today