M&A Security Considerations and the Importance of Due Diligence

Most post-merger cybersecurity challenges arise when the acquiring company fails to fully assess the cybersecurity posture of its acquisition target. After an acquisition, all vulnerabilities and incidents are the responsibility of the acquiring company.

According to a Ponemon Institute survey, 59 percent of companies that experienced a data breach in 2018 noted that it resulted from a cyber incident at a third-party vendor or business partner. The third-party risk management problem is rooted in visibility — or, rather, the lack of it.

Unaccounted-for operational technology (OT) and internet of things (IoT) devices, human errors in integration, and configuration weaknesses are just a few examples of security gaps commonly found in merged companies. Let’s take a closer look at how these risks affect both acquired and acquiring companies and what organizations can do to maintain the security of all parties involved during mergers and acquisitions (M&A).

What Is the Cost of Poor M&A Security?

For acquiring companies, the costs associated with an acquisition target’s poor cybersecurity go beyond data breaches and can affect future IT and compliance investments. Theft of valuable intellectual property and trade secrets can have far-reaching consequences that may be revealed over time. A study from FireEye found that sophisticated hackers can infiltrate networks and stay undetected for an average of 206 days. Proprietary information about business strategies and sensitive data about personnel can be stolen over a period of several months.

Data breaches affect the valuation of an acquired company, and the price of a takeover deal may be cut when breaches are revealed. The acquired company may also be required to pay a penalty to settle fraud charges and lawsuits brought by unhappy shareholders.

What You Need to Know Before Merging IT Systems

Systems of internal control and processes ensure the appropriate level of risk management. Below are some M&A security measures an acquiring company should take before merging IT systems and networks:

• Identify what types of cyber risks the target company faces based on its industry, geography, partners, products and services.
• Study network and system architectures, including known hardware and software vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more.
• Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, specially over data, that the acquired company may have with another company.
• Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards and best practices in the industry.
• Review the existing security policies and audit results with respect to processes (operations), people and technology.
• Investigate any previous charges complaints or litigation around fraud, extortion, ransom, etc.

Conduct an M&A Security Assessment

When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, score the level of cyber risk and prioritize remediation activities accordingly. Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:

• Review common organizational policies, including the information security policy, terms of use agreements, acceptable use policy and data classification policy.
• Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks.
• Implement network segmentation and network policies, which are crucial to realizing the synergy of the acquisition.
• Review the acquired company’s risk strategy.
• Review the state of IoT security.

Other M&A security factors to consider include IT security expenditures, future cybersecurity plans, certifications, regulatory compliance, cyber insurance policies, employee background verification and off-boarding, security operations centers (SOCs), cybersecurity awareness programs, vendor risk assessments, authentication and access controls, encryption, network monitoring, disaster recovery and business continuity planning, organizational structure, and the information security reporting chain.

Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:

• Map the available systems and processes according to the Deming Cycle, also known as the PDCA Cycle, which stands for Plan, Do, Check, Act. Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
• If the acquired company is not technologically mature, it may be prudent to employ a third party to conduct an independent security audit, which includes vulnerability scans, penetration tests and custom methods to assess the security posture of the acquired company.
• Evaluate IT security personnel through security questionnaires and interviews to help security and business leaders distinguish between rockstar employees and weak links, if any.

Post-Merger Risk Management Considerations

If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But if you think that means you can ease up on security, think again.

Below are some security considerations you should keep in mind long after an M&A transaction is completed:

• During and post-merger, implement granular controls for identity and access management (IAM), harden perimeter security, audit logs, and revise security processes and cybersecurity training.
• Invest in automated risk management services to provide guidance and support for automating multiple risk management programs with a single, centralized IT governance, risk and compliance (GRC) platform.
• Failure to address cybersecurity risks during M&A activity can result in damaged reputation and devaluation of the company.
• When in doubt, remember to consult your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist and incident response playbooks.