Light Dark
August 27, 2019 By Rima Bose 4 min read
Security Services

Most post-merger cybersecurity challenges arise when the acquiring company fails to fully assess the cybersecurity posture of its acquisition target. After an acquisition, all vulnerabilities and incidents are the responsibility of the acquiring company.

According to a Ponemon Institute survey, 59 percent of companies that experienced a data breach in 2018 noted that it resulted from a cyber incident at a third-party vendor or business partner. The third-party risk management problem is rooted in visibility — or, rather, the lack of it.

Unaccounted-for operational technology (OT) and internet of things (IoT) devices, human errors in integration, and configuration weaknesses are just a few examples of security gaps commonly found in merged companies. Let’s take a closer look at how these risks affect both acquired and acquiring companies and what organizations can do to maintain the security of all parties involved during mergers and acquisitions (M&A).

What Is the Cost of Poor M&A Security?

For acquiring companies, the costs associated with an acquisition target’s poor cybersecurity go beyond data breaches and can affect future IT and compliance investments. Theft of valuable intellectual property and trade secrets can have far-reaching consequences that may be revealed over time. A study from FireEye found that sophisticated hackers can infiltrate networks and stay undetected for an average of 206 days. Proprietary information about business strategies and sensitive data about personnel can be stolen over a period of several months.

Data breaches affect the valuation of an acquired company, and the price of a takeover deal may be cut when breaches are revealed. The acquired company may also be required to pay a penalty to settle fraud charges and lawsuits brought by unhappy shareholders.

What You Need to Know Before Merging IT Systems

Systems of internal control and processes ensure the appropriate level of risk management. Below are some M&A security measures an acquiring company should take before merging IT systems and networks:

  • Identify what types of cyber risks the target company faces based on its industry, geography, partners, products and services.
  • Study network and system architectures, including known hardware and software vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more.
  • Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, specially over data, that the acquired company may have with another company.
  • Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards and best practices in the industry.
  • Review the existing security policies and audit results with respect to processes (operations), people and technology.
  • Investigate any previous charges complaints or litigation around fraud, extortion, ransom, etc.

Conduct an M&A Security Assessment

When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, score the level of cyber risk and prioritize remediation activities accordingly. Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:

  • Review common organizational policies, including the information security policy, terms of use agreements, acceptable use policy and data classification policy.
  • Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks.
  • Implement network segmentation and network policies, which are crucial to realizing the synergy of the acquisition.
  • Review the acquired company’s risk strategy.
  • Review the state of IoT security.

Other M&A security factors to consider include IT security expenditures, future cybersecurity plans, certifications, regulatory compliance, cyber insurance policies, employee background verification and off-boarding, security operations centers (SOCs), cybersecurity awareness programs, vendor risk assessments, authentication and access controls, encryption, network monitoring, disaster recovery and business continuity planning, organizational structure, and the information security reporting chain.

Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:

  • Map the available systems and processes according to the Deming Cycle, also known as the PDCA Cycle, which stands for Plan, Do, Check, Act. Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
  • If the acquired company is not technologically mature, it may be prudent to employ a third party to conduct an independent security audit, which includes vulnerability scans, penetration tests and custom methods to assess the security posture of the acquired company.
  • Evaluate IT security personnel through security questionnaires and interviews to help security and business leaders distinguish between rockstar employees and weak links, if any.

Post-Merger Risk Management Considerations

If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But if you think that means you can ease up on security, think again.

Below are some security considerations you should keep in mind long after an M&A transaction is completed:

  • During and post-merger, implement granular controls for identity and access management (IAM), harden perimeter security, audit logs, and revise security processes and cybersecurity training.
  • Invest in automated risk management services to provide guidance and support for automating multiple risk management programs with a single, centralized IT governance, risk and compliance (GRC) platform.
  • Failure to address cybersecurity risks during M&A activity can result in damaged reputation and devaluation of the company.
  • When in doubt, remember to consult your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist and incident response playbooks.
 |  |  |  |  |  |  |  | 
Rima Bose
Security Consultant, IBM

More from Security Services
April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

January 29, 2024

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature