Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Are There Security Risks in Mergers and Acquisitions?

Published 07/31/2023

Are There Security Risks in Mergers and Acquisitions?

Originally published by Schellman.

When making a business acquisition, the potential of a security risk derailing a deal during an acquisition is quite low. Of course, when firms look to expand the number and types of services they deliver, the first consideration doesn’t usually regard security—instead, you must decide whether to build it or whether to buy it.

This first, pivotal decision requires the consideration of several variables including, but not limited to the price or valuation, how long the capabilities would take to build internally, what synergies could be present, and how your two cultures will assimilate.

And then, of course, you must also take into account the time and cost to integrate, but those are rarely a factor in anyone’s decision to move forward. And while the potential of a security risk holding up an acquisition is similarly quite low, it remains important to acknowledge the possibility of such and follow through with due diligence.

In this article, we’ll provide several reasons explaining why you should still prioritize security during a merger, as well as other related factors to consider if your company is looking to acquire or be acquired.


How Much Does Security Risk Cost?

When targeting an acquisition, the anticipated purchase price is usually based on a multiple of revenue, earnings, and/or other objective criteria (e.g., 4x Revenue, 20x EBITDA, etc.).

And while the insurance industry may adjust premiums on a cybersecurity policy based on demonstrating sound practices, investment decisions related to mergers and acquisitions (M&A) do not undergo the same analysis (at least not yet)—calculating a kind of premium for one’s strong information security program or a discount for having potentially weak controls doesn’t occur.

That’s not because private equity, venture capital, and internal M&A teams don’t want such information—the unfortunate reality is the risk is difficult to quantify and such activities take time, which is not an unlimited resource during a transaction. As the saying goes, “Time kills all deals.”


Security Assessments as Part of Your Acquisition Due Diligence

That being said, an analysis of the state of controls does not need to be completely quantifiable to be valuable and the analysis may be performed in different ways.


If You’re Being Acquired

One way to demonstrate that you maintain adequate controls is with a track record of successful security and compliance attestations and certifications.

If, as a target organization, you’re looking for potential investors—be they public or private—a strong track record of adhering to independent compliance and regulatory assessments can quickly demonstrate a commitment to information security and may alleviate the need to complete questionnaires from an acquiring institution.


If You’re Acquiring

And if you’re the one seeking to invest, compliance assessments are a sound request to make of your potential targets, though you do have other options:

Possible Option:

Details

Formal Compliance Assessment

A full evaluation of your acquisition’s controls based on a framework like NIST SP 800-53 would provide gain a deeper understanding of your target's security regarding:

  • Individuals;
  • Procedures; and
  • Technology.

However, we understand some acquisition targets may not have many employees or much of a technology footprint, or the risks posed may not exist in a future state to prove this route justifiably beneficial, especially as this process would add time and costs.

Security Questionnaire

A standard vendor security questionnaire may be more prudent—any analysis is better than none, and these can still provide some good insight.

Questionnaires can vary in length and depth, but asking a few high-level questions can help establish your target’s security mindset. For example:

  1. Does the target have and maintain an information security policy and when was it last updated?
  2. Does the target have vulnerability scanning and penetration testing performed?
  3. Has the target ever had a security breach?


Post-Transaction Security Considerations

These evaluations should of course happen ahead of any signing on the dotted line, but it’s upon completion of the transaction that the real endeavor starts.

It’s then when your newly established or merged firm must confront several challenges in fulfilling the transaction's goals—and security-wise, it’s during this time that you may be more susceptible to security risks.

Below are five potential security issues to consider and stay ahead of particularly in the early days after closing a transaction:

Security Consideration

Why Stay You Should Stay Vigilant

1. Phishing

Most large initiatives are accompanied by a press release touting the benefits of the transaction to investors, clients, and others, but unfortunately, every bit of public information also becomes potentially useful for a phishing campaign.

Employees of both firms are often targeted by phishing attacks during periods of transition as people are more susceptible due to changes in baseline activity.

2. Network Security

Mergers are rarely, if ever, a merger of equals—two organizations may agree to combine forces to:

  • Better serve clients
  • Enhance product selection
  • Reduce inefficiencies

However, this doesn’t necessarily always also mean an integration strategy has been fully thought out before the pieces begin to move—to avoid accidental security gaps, take care to plot out what the new organizational structure will be and how controls should be implemented and maintained.

3. Personnel

In most acquisitions there’s some redundancy—some team members may be let go, and determining which ones to retain and in what capacity may require some time.

Furthermore, trust is developed gradually over a period—don’t assume your two organizations’ IT and security teams will trust each other on Day 1 (or Day 100), and do what you can to ease their mutual incorporation.

4. Application Security

Decisions on a future core technology stack may be made before closing, but the need to support multiple platforms and versions may still stretch development and operations teams, so make sure to consider allocating resources to alleviate that as much as possible.

5. Third-Parties

A company being acquired not only brings over its assets, experience, and people, but it may also absorb relationships with the acquiree, such as SaaS vendors and software providers.

As such, the supply chain will get more complex in the short term, even if the acquirer and target use the same vendor, so plan accordingly.


Next Steps with Your Latest M&A

Even though history suggests that potential security risks likely won’t fully spoil any pending acquisition or merger you begin to vet, that doesn’t mean that there aren’t related important considerations you should make both during that vetting process and after closing.

Formal compliance assessments and security questionnaires can provide helpful insight that can give you a leg up on either separating yourself as an attractive target to investors or mitigating potential problems with your acquisition, but your security concerns should continue even after the transaction closes.

Now that you understand all that, you may also be interested in shoring up various aspects of your cybersecurity practices in anticipation of any deal. With that, our other content can help, so be sure to check it out:

Share this content on your favorite social network today!