Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

Are There Security Risks in Mergers and Acquisitions?

Home
Industry Insights
Are There Security Risks in Mergers and Acquisitions?

Blog Article Published: 07/31/2023

Originally published by Schellman.

When making a business acquisition, the potential of a security risk derailing a deal during an acquisition is quite low. Of course, when firms look to expand the number and types of services they deliver, the first consideration doesn’t usually regard security—instead, you must decide whether to build it or whether to buy it.

This first, pivotal decision requires the consideration of several variables including, but not limited to the price or valuation, how long the capabilities would take to build internally, what synergies could be present, and how your two cultures will assimilate.

And then, of course, you must also take into account the time and cost to integrate, but those are rarely a factor in anyone’s decision to move forward. And while the potential of a security risk holding up an acquisition is similarly quite low, it remains important to acknowledge the possibility of such and follow through with due diligence.

In this article, we’ll provide several reasons explaining why you should still prioritize security during a merger, as well as other related factors to consider if your company is looking to acquire or be acquired.


How Much Does Security Risk Cost?

When targeting an acquisition, the anticipated purchase price is usually based on a multiple of revenue, earnings, and/or other objective criteria (e.g., 4x Revenue, 20x EBITDA, etc.).

And while the insurance industry may adjust premiums on a cybersecurity policy based on demonstrating sound practices, investment decisions related to mergers and acquisitions (M&A) do not undergo the same analysis (at least not yet)—calculating a kind of premium for one’s strong information security program or a discount for having potentially weak controls doesn’t occur.

That’s not because private equity, venture capital, and internal M&A teams don’t want such information—the unfortunate reality is the risk is difficult to quantify and such activities take time, which is not an unlimited resource during a transaction. As the saying goes, “Time kills all deals.”


Security Assessments as Part of Your Acquisition Due Diligence

That being said, an analysis of the state of controls does not need to be completely quantifiable to be valuable and the analysis may be performed in different ways.


If You’re Being Acquired

One way to demonstrate that you maintain adequate controls is with a track record of successful security and compliance attestations and certifications.

If, as a target organization, you’re looking for potential investors—be they public or private—a strong track record of adhering to independent compliance and regulatory assessments can quickly demonstrate a commitment to information security and may alleviate the need to complete questionnaires from an acquiring institution.


If You’re Acquiring

And if you’re the one seeking to invest, compliance assessments are a sound request to make of your potential targets, though you do have other options:

Possible Option:

Details

Formal Compliance Assessment

A full evaluation of your acquisition’s controls based on a framework like NIST SP 800-53 would provide gain a deeper understanding of your target's security regarding:

  • Individuals;
  • Procedures; and
  • Technology.

However, we understand some acquisition targets may not have many employees or much of a technology footprint, or the risks posed may not exist in a future state to prove this route justifiably beneficial, especially as this process would add time and costs.

Security Questionnaire

A standard vendor security questionnaire may be more prudent—any analysis is better than none, and these can still provide some good insight.

Questionnaires can vary in length and depth, but asking a few high-level questions can help establish your target’s security mindset. For example:

  1. Does the target have and maintain an information security policy and when was it last updated?
  2. Does the target have vulnerability scanning and penetration testing performed?
  3. Has the target ever had a security breach?


Post-Transaction Security Considerations

These evaluations should of course happen ahead of any signing on the dotted line, but it’s upon completion of the transaction that the real endeavor starts.

It’s then when your newly established or merged firm must confront several challenges in fulfilling the transaction's goals—and security-wise, it’s during this time that you may be more susceptible to security risks.

Below are five potential security issues to consider and stay ahead of particularly in the early days after closing a transaction:

Security Consideration

Why Stay You Should Stay Vigilant
1. Phishing

Most large initiatives are accompanied by a press release touting the benefits of the transaction to investors, clients, and others, but unfortunately, every bit of public information also becomes potentially useful for a phishing campaign.

Employees of both firms are often targeted by phishing attacks during periods of transition as people are more susceptible due to changes in baseline activity.

2. Network Security

Mergers are rarely, if ever, a merger of equals—two organizations may agree to combine forces to:

  • Better serve clients
  • Enhance product selection
  • Reduce inefficiencies

However, this doesn’t necessarily always also mean an integration strategy has been fully thought out before the pieces begin to move—to avoid accidental security gaps, take care to plot out what the new organizational structure will be and how controls should be implemented and maintained.
3. Personnel

In most acquisitions there’s some redundancy—some team members may be let go, and determining which ones to retain and in what capacity may require some time.

Furthermore, trust is developed gradually over a period—don’t assume your two organizations’ IT and security teams will trust each other on Day 1 (or Day 100), and do what you can to ease their mutual incorporation.
4. Application Security

Decisions on a future core technology stack may be made before closing, but the need to support multiple platforms and versions may still stretch development and operations teams, so make sure to consider allocating resources to alleviate that as much as possible.

5. Third-Parties

A company being acquired not only brings over its assets, experience, and people, but it may also absorb relationships with the acquiree, such as SaaS vendors and software providers.

As such, the supply chain will get more complex in the short term, even if the acquirer and target use the same vendor, so plan accordingly.


Next Steps with Your Latest M&A

Even though history suggests that potential security risks likely won’t fully spoil any pending acquisition or merger you begin to vet, that doesn’t mean that there aren’t related important considerations you should make both during that vetting process and after closing.

Formal compliance assessments and security questionnaires can provide helpful insight that can give you a leg up on either separating yourself as an attractive target to investors or mitigating potential problems with your acquisition, but your security concerns should continue even after the transaction closes.

Now that you understand all that, you may also be interested in shoring up various aspects of your cybersecurity practices in anticipation of any deal. With that, our other content can help, so be sure to check it out:

C-LevelComplianceRisk Management

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
This Year’s Zero Trust Opportunity for Security Professionals
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
How DSPM Can Help Solve Healthcare Cybersecurity Attacks

Published: 04/30/2024

Considerations When Including AI Implementations in Penetration Testing

Published: 04/30/2024

Your Ultimate Guide to Security Frameworks

Published: 04/29/2024

Five Reasons Why Ransomware Still Reigns

Published: 04/29/2024