Are There Security Risks in Mergers and Acquisitions?
Published 07/31/2023
Originally published by Schellman.
When making a business acquisition, the potential of a security risk derailing a deal during an acquisition is quite low. Of course, when firms look to expand the number and types of services they deliver, the first consideration doesn’t usually regard security—instead, you must decide whether to build it or whether to buy it.
This first, pivotal decision requires the consideration of several variables including, but not limited to the price or valuation, how long the capabilities would take to build internally, what synergies could be present, and how your two cultures will assimilate.
And then, of course, you must also take into account the time and cost to integrate, but those are rarely a factor in anyone’s decision to move forward. And while the potential of a security risk holding up an acquisition is similarly quite low, it remains important to acknowledge the possibility of such and follow through with due diligence.
In this article, we’ll provide several reasons explaining why you should still prioritize security during a merger, as well as other related factors to consider if your company is looking to acquire or be acquired.
How Much Does Security Risk Cost?
When targeting an acquisition, the anticipated purchase price is usually based on a multiple of revenue, earnings, and/or other objective criteria (e.g., 4x Revenue, 20x EBITDA, etc.).
And while the insurance industry may adjust premiums on a cybersecurity policy based on demonstrating sound practices, investment decisions related to mergers and acquisitions (M&A) do not undergo the same analysis (at least not yet)—calculating a kind of premium for one’s strong information security program or a discount for having potentially weak controls doesn’t occur.
That’s not because private equity, venture capital, and internal M&A teams don’t want such information—the unfortunate reality is the risk is difficult to quantify and such activities take time, which is not an unlimited resource during a transaction. As the saying goes, “Time kills all deals.”
Security Assessments as Part of Your Acquisition Due Diligence
That being said, an analysis of the state of controls does not need to be completely quantifiable to be valuable and the analysis may be performed in different ways.
If You’re Being Acquired
One way to demonstrate that you maintain adequate controls is with a track record of successful security and compliance attestations and certifications.
If, as a target organization, you’re looking for potential investors—be they public or private—a strong track record of adhering to independent compliance and regulatory assessments can quickly demonstrate a commitment to information security and may alleviate the need to complete questionnaires from an acquiring institution.
If You’re Acquiring
And if you’re the one seeking to invest, compliance assessments are a sound request to make of your potential targets, though you do have other options:
Possible Option: | Details |
Formal Compliance Assessment | A full evaluation of your acquisition’s controls based on a framework like NIST SP 800-53 would provide gain a deeper understanding of your target's security regarding:
However, we understand some acquisition targets may not have many employees or much of a technology footprint, or the risks posed may not exist in a future state to prove this route justifiably beneficial, especially as this process would add time and costs. |
Security Questionnaire
| A standard vendor security questionnaire may be more prudent—any analysis is better than none, and these can still provide some good insight. Questionnaires can vary in length and depth, but asking a few high-level questions can help establish your target’s security mindset. For example:
|
Post-Transaction Security Considerations
These evaluations should of course happen ahead of any signing on the dotted line, but it’s upon completion of the transaction that the real endeavor starts.
It’s then when your newly established or merged firm must confront several challenges in fulfilling the transaction's goals—and security-wise, it’s during this time that you may be more susceptible to security risks.
Below are five potential security issues to consider and stay ahead of particularly in the early days after closing a transaction:
Security Consideration | Why Stay You Should Stay Vigilant |
1. Phishing | Most large initiatives are accompanied by a press release touting the benefits of the transaction to investors, clients, and others, but unfortunately, every bit of public information also becomes potentially useful for a phishing campaign. Employees of both firms are often targeted by phishing attacks during periods of transition as people are more susceptible due to changes in baseline activity. |
2. Network Security | Mergers are rarely, if ever, a merger of equals—two organizations may agree to combine forces to:
However, this doesn’t necessarily always also mean an integration strategy has been fully thought out before the pieces begin to move—to avoid accidental security gaps, take care to plot out what the new organizational structure will be and how controls should be implemented and maintained. |
3. Personnel | In most acquisitions there’s some redundancy—some team members may be let go, and determining which ones to retain and in what capacity may require some time. Furthermore, trust is developed gradually over a period—don’t assume your two organizations’ IT and security teams will trust each other on Day 1 (or Day 100), and do what you can to ease their mutual incorporation. |
4. Application Security | Decisions on a future core technology stack may be made before closing, but the need to support multiple platforms and versions may still stretch development and operations teams, so make sure to consider allocating resources to alleviate that as much as possible. |
5. Third-Parties | A company being acquired not only brings over its assets, experience, and people, but it may also absorb relationships with the acquiree, such as SaaS vendors and software providers. As such, the supply chain will get more complex in the short term, even if the acquirer and target use the same vendor, so plan accordingly. |
Next Steps with Your Latest M&A
Even though history suggests that potential security risks likely won’t fully spoil any pending acquisition or merger you begin to vet, that doesn’t mean that there aren’t related important considerations you should make both during that vetting process and after closing.
Formal compliance assessments and security questionnaires can provide helpful insight that can give you a leg up on either separating yourself as an attractive target to investors or mitigating potential problems with your acquisition, but your security concerns should continue even after the transaction closes.
Now that you understand all that, you may also be interested in shoring up various aspects of your cybersecurity practices in anticipation of any deal. With that, our other content can help, so be sure to check it out:
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024
Top Threat #5 - Third Party Tango: Dancing Around Insecure Resources
Published: 11/18/2024