Most post-merger cybersecurity challenges arise when the acquiring company fails to fully assess the cybersecurity posture of its acquisition target. After an acquisition, all vulnerabilities and incidents are the responsibility of the acquiring company.

According to a Ponemon Institute survey, 59 percent of companies that experienced a data breach in 2018 noted that it resulted from a cyber incident at a third-party vendor or business partner. The third-party risk management problem is rooted in visibility — or, rather, the lack of it.

Unaccounted-for operational technology (OT) and internet of things (IoT) devices, human errors in integration, and configuration weaknesses are just a few examples of security gaps commonly found in merged companies. Let’s take a closer look at how these risks affect both acquired and acquiring companies and what organizations can do to maintain the security of all parties involved during mergers and acquisitions (M&A).

What Is the Cost of Poor M&A Security?

For acquiring companies, the costs associated with an acquisition target’s poor cybersecurity go beyond data breaches and can affect future IT and compliance investments. Theft of valuable intellectual property and trade secrets can have far-reaching consequences that may be revealed over time. A study from FireEye found that sophisticated hackers can infiltrate networks and stay undetected for an average of 206 days. Proprietary information about business strategies and sensitive data about personnel can be stolen over a period of several months.

Data breaches affect the valuation of an acquired company, and the price of a takeover deal may be cut when breaches are revealed. The acquired company may also be required to pay a penalty to settle fraud charges and lawsuits brought by unhappy shareholders.

What You Need to Know Before Merging IT Systems

Systems of internal control and processes ensure the appropriate level of risk management. Below are some M&A security measures an acquiring company should take before merging IT systems and networks:

  • Identify what types of cyber risks the target company faces based on its industry, geography, partners, products and services.
  • Study network and system architectures, including known hardware and software vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more.
  • Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, specially over data, that the acquired company may have with another company.
  • Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards and best practices in the industry.
  • Review the existing security policies and audit results with respect to processes (operations), people and technology.
  • Investigate any previous charges complaints or litigation around fraud, extortion, ransom, etc.

Conduct an M&A Security Assessment

When acquiring a company, it’s crucial to identify any gaps in its security controls, evaluate its data protection capabilities, score the level of cyber risk and prioritize remediation activities accordingly. Below are some specific steps security and business leaders should take to assess the cybersecurity posture of an acquired company:

  • Review common organizational policies, including the information security policy, terms of use agreements, acceptable use policy and data classification policy.
  • Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks.
  • Implement network segmentation and network policies, which are crucial to realizing the synergy of the acquisition.
  • Review the acquired company’s risk strategy.
  • Review the state of IoT security.

Other M&A security factors to consider include IT security expenditures, future cybersecurity plans, certifications, regulatory compliance, cyber insurance policies, employee background verification and off-boarding, security operations centers (SOCs), cybersecurity awareness programs, vendor risk assessments, authentication and access controls, encryption, network monitoring, disaster recovery and business continuity planning, organizational structure, and the information security reporting chain.

Once you’ve conducted a security assessment of the company being targeted for an acquisition, what do you do with all that data? Below are three steps to perform post-assessment:

  • Map the available systems and processes according to the Deming Cycle, also known as the PDCA Cycle, which stands for Plan, Do, Check, Act. Recently, the National Institute of Standards and Technology (NIST) added “Prepare” as a key step in its Risk Management Framework (RMF).
  • If the acquired company is not technologically mature, it may be prudent to employ a third party to conduct an independent security audit, which includes vulnerability scans, penetration tests and custom methods to assess the security posture of the acquired company.
  • Evaluate IT security personnel through security questionnaires and interviews to help security and business leaders distinguish between rockstar employees and weak links, if any.

Post-Merger Risk Management Considerations

If you’ve followed the M&A security best practices outlined above, you’ve put your organization in an advantageous position to execute a merger or acquisition securely and confidently. But if you think that means you can ease up on security, think again.

Below are some security considerations you should keep in mind long after an M&A transaction is completed:

  • During and post-merger, implement granular controls for identity and access management (IAM), harden perimeter security, audit logs, and revise security processes and cybersecurity training.
  • Invest in automated risk management services to provide guidance and support for automating multiple risk management programs with a single, centralized IT governance, risk and compliance (GRC) platform.
  • Failure to address cybersecurity risks during M&A activity can result in damaged reputation and devaluation of the company.
  • When in doubt, remember to consult your corporate risk assessment strategy, IT governance strategy, cyber risk mitigation checklist and incident response playbooks.

More from Security Services

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers.According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately infected…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

What People Get Wrong About Incident Responders

Today’s threat landscape is ever-evolving and skyrocketing in complexity as bad actors possess more advanced tactics, techniques and procedures (TTP) than ever before. To address these advanced threats, deploying an incident response team is critical for modern organizations. An incident response (IR) team is responsible for analyzing security systems and responding to potentially harmful threats. IR plays a critical role in ensuring security issues are resolved and performing damage control for any system breach, malware exposure, data loss or other…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…