Most post-merger cybersecurity challenges arise when the acquiring company fails to fully assess the cybersecurity posture of its acquisition target. After an acquisition, all vulnerabilities and incidents are the responsibility of the acquiring company.

According to a Ponemon Institute survey, 59 percent of companies that experienced a data breach in 2018 noted that it resulted from a cyber incident at a third-party vendor or business partner. The third-party risk management problem is rooted in visibility — or, rather, the lack of it.

Unaccounted-for operational technology (OT) and internet of things (IoT) devices, human errors in integration, and configuration weaknesses are just a few examples of security gaps commonly found in merged companies. Let’s take a closer look at how these risks affect both acquired and acquiring companies and what organizations can do to maintain the security of all parties involved during mergers and acquisitions (M&A).

What Is the Cost of Poor M&A Security?

For acquiring companies, the costs associated with an acquisition target’s poor cybersecurity go beyond data breaches and can affect future IT and compliance investments. Theft of valuable intellectual property and trade secrets can have far-reaching consequences that may be revealed over time. A study from FireEye found that sophisticated hackers can infiltrate networks and stay undetected for an average of 206 days. Proprietary information about business strategies and sensitive data about personnel can be stolen over a period of several months.

Data breaches affect the valuation of an acquired company, and the price of a takeover deal may be cut when breaches are revealed. The acquired company may also be required to pay a penalty to settle fraud charges and lawsuits brought by unhappy shareholders.

What You Need to Know Before Merging IT Systems

Systems of internal control and processes ensure the appropriate level of risk management. Below are some M&A security measures an acquiring company should take before merging IT systems and networks:

  • Identify what types of cyber risks the target company faces based on its industry, geography, partners, products and services.
  • Study network and system architectures, including known hardware and software vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more.
  • Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, specially over data, that the acquired company may have with another company.
  • Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards and best practices in the industry.
  • Review the existing security policies and audit results with respect to processes (operations), people and technology.
  • Investigate any previous charges complaints or litigation around fraud, extortion, ransom, etc.

Conduct an M&A Security Assessment

When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, score the level of cyber risk and prioritize remediation activities accordingly. Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:

  • Review common organizational policies, including the information security policy, terms of use agreements, acceptable use policy and data classification policy.
  • Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks.
  • Implement network segmentation and network policies, which are crucial to realizing the synergy of the acquisition.
  • Review the acquired company’s risk strategy.
  • Review the state of IoT security.

Other M&A security factors to consider include IT security expenditures, future cybersecurity plans, certifications, regulatory compliance, cyber insurance policies, employee background verification and off-boarding, security operations centers (SOCs), cybersecurity awareness programs, vendor risk assessments, authentication and access controls, encryption, network monitoring, disaster recovery and business continuity planning, organizational structure, and the information security reporting chain.

Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:

  • Map the available systems and processes according to the Deming Cycle, also known as the PDCA Cycle, which stands for Plan, Do, Check, Act. Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
  • If the acquired company is not technologically mature, it may be prudent to employ a third party to conduct an independent security audit, which includes vulnerability scans, penetration tests and custom methods to assess the security posture of the acquired company.
  • Evaluate IT security personnel through security questionnaires and interviews to help security and business leaders distinguish between rockstar employees and weak links, if any.

Post-Merger Risk Management Considerations

If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But if you think that means you can ease up on security, think again.

Below are some security considerations you should keep in mind long after an M&A transaction is completed:

  • During and post-merger, implement granular controls for identity and access management (IAM), harden perimeter security, audit logs, and revise security processes and cybersecurity training.
  • Invest in automated risk management services to provide guidance and support for automating multiple risk management programs with a single, centralized IT governance, risk and compliance (GRC) platform.
  • Failure to address cybersecurity risks during M&A activity can result in damaged reputation and devaluation of the company.
  • When in doubt, remember to consult your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist and incident response playbooks.

More from Security Services

How I got started: SIEM engineer

3 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

Machine learning operations can revolutionize cybersecurity

4 min read - Machine learning operations (MLOps) refers to the practices and tools employed to streamline the deployment, management and monitoring of machine learning models in production environments. While MLOps is commonly associated with data science and machine learning workflows, its integration with cybersecurity brings new capabilities to detect and respond to threats in real-time. It involves streamlining the deployment and management of machine learning models, enabling organizations to gain insight from vast amounts of data and improve their overall security posture. Defining…

Zero-day attacks are on the rise. Can patches keep up?

4 min read - That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before. When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told…