In anticipation of the economic fallout of the pandemic, companies have accumulated war chests of more than $7.6 trillion in cash and marketable securities (according to a forecast published by PWC in January 2021). This abundance of available cash, interest rates that remain at historic lows, increased vaccination rates, and pent-up demand will certainly lead to increased confidence and ever-increasing M&A activity.
While great efforts are invested in financial due diligence before a merger or acquisition deal, the same is usually not the same for performing information security risk due diligence. Preparations and negotiations around M&A activities are highly secretive, often leaving the cyber security practitioners responsible for securely integrating companies in the dark and therefore unable to foresee the risks that will be inherited nor plan for smooth and secure integration. Many reasons exist for this reality, and I am not looking to list and debate them here. Another day perhaps. My goal here is to provide some insight and some recommended actions aimed at helping information security practitioners who find themselves faced with merging multiple organizations, very likely with little or no advance notice.
Integrating Businesses = Business Continuity
Priority one for the post-acquisition or merger announcement is to continue delivering products and services to the collection of active clients serviced as of day one. Since mergers and acquisitions fail at a rate of 70% to 90% of the time, according to the Harvard Business Review, there is ample history to show that success is not at all guaranteed. With that in mind, we can see why a merger is, in reality, a Business Continuity execution event, with significant risk that a major business effort may fail. Many decisions and factors outside the realm of IT, compliance, and cybersecurity contribute to this risk of failure, but the compliance and cybersecurity risks are still significant. As in everyday operations, the cybersecurity and compliance teams play a key role. While they may not have advance notice, they do have the opportunity to design and implement a plan that ensures good practices continue, poor practices improve, and are non-existent. Still, required practices are identified, designed, implemented, and managed. Just a normal day, right?
Business as Usual
In the days and weeks after the deal is closed, more than anything else, Business as Usual is the priority. It is more important than ever that products and services your clients rely on continue uninterrupted. Customers of the merging companies may be skeptical due to the uncertainty brought about by the change. Any slips in delivery will provide an opening for your competitors. Your clients are likely always open to considering more advantageous alternatives, and your competitors will be all too happy to take advantage of the window of uncertainty a merger provides. Ensure your merger integration plan is well designed and tested at every step of the way.
The businesses must continue to:
- Deliver products and services to your clients
Measure, monitor, and report
- Business functions
- IT systems performance
- Indicators of unauthorized activity
- Regulatory compliance factors
- Invoice Clients
- Collect payments from Clients
Control Access to
- Physical assets and facilities
- Digital assets, infrastructure, and data
- Market and sell
These key business processes are developed, documented, refined, and strengthened over time to make each company as effective as possible in identifying, acquiring, and servicing clients and satisfying the demands of your stakeholders and regulators.
Good Governance Never Goes out of Style
Rushing to combine two or more companies would be a recipe for disaster, so expect them to operate as before for at least some interim period. A comprehensive review of existing governance practices, starting with response plans, will inform near-term risk management as well as longer-term integration planning. Every business experiences friction at some point. Interruptions and uncertainty can be brought on by mergers just as they can by supply chain interruptions, global pandemics, natural disasters, power outages, and cyber security incidents. Well governed companies evaluate and quantify the potential impact of these and other risks and implement policies and procedures that reduce the potential impact of these risks. They also build plans for responding to the risks that cannot be predicted or prevented.
Before or Immediately Following the Announcement
If you have the luxury of advance notice or cyber security and compliance is included in the pre-deal evaluation, or you learn of the merger the same time it goes public. Still, there is a reasonable amount of time before the merge, review of the following elements will provide a view of their security and compliance maturity and will inform the integration plan:
Policies and Procedures
- Do they exist?
- Are they comprehensive?
- Are they observed?
Security and Privacy Self Assessments, Client Assessments and/or Audits
- Are they conducted?
- Are they documented?
- What are the findings?
- Have the findings been remediated?
Is their cyber insurance policy “Claims Made” or “Occurrence”
- A “Claims Made” policy only allows for claims reported during the policy term or a tail period if purchased.
- An “Occurrence” policy covers claims reported for a lifetime for incidents during the policy term.
- Are there any previous security breaches?
- Are there any international facilities, teams, or partners?
- Are there any country or state unique security or compliance requirements?
- Are there any outsourced security services?
- What is the security organization and security reporting structure?
If the merger is thrust upon you the day the merger is effective, then make the best use of your time and focus on the below critical priorities first. As above, I am not looking to debate whether InfoSec should be involved in planning. If you find yourself in this position, you have limited time for such academic discussions. Learn the business you are now responsible for integrating with your own and develop a firm understanding of the assets, architecture, and existing access controls ASAP to maintain the security of the separate and combined company information assets and systems.
Learn the new Business
- What is the nature of the business?
- What is the security and compliance culture?
- Incident Response Plan
- Business Continuity Plan
- Disaster Recovery Plan
Create or Review Inventories
- Determine what physical and logical access controls are in place
- Do they practice the least privilege?
Evaluate Technical Infrastructure
- Data flow
- System protection with up-to-date patching, endpoint protection, and firewalls
- Controls for internet-connected networks
- Adequate firewall rules
- Systems allowed to communicate to and from the Internet
In any event, once the companies are merged into one, review and adjust your governance as needed and establish the new combined security and compliance baseline. This baseline forms the jumping-off point for your new roadmap, designed to regain your desired maturity level and continuously improve your security and compliance program.
Review and adjust governance
Review and adjust the Merge Information Security Policies as appropriate
- Incorporate any new regulatory requirements
- Adjust to inherited technology stacks
- Recognize cultural differences
- Plan for policy and procedure available for the now larger organization
- Train employees, so they know, understand, and follow policies
Merged and Uniform Security Operations
- Establish the new security baseline
- Reorganize the security team and reporting structure as needed
- Prepare to maintain governance and operations as effectiveness is assessed
Along with the promise of expanded markets, enhanced and integrated products, and the other benefits of a merger come many challenges and risks, of course. The transitions will be stressful and disruptive to employees and the company but ideally, not so for clients. Along with the friction and the stresses, there is also opportunity. The opportunity to rebaseline, reorganize and modernize the Cyber Security program and culture. Recognize and capitalize on this opportunity. Through careful planning and application of current best practices, you can enable a merged enterprise that is more mature and more secure than either of the predecessor organizations. Don’t let that opportunity slip away.