By Stephen Gailey, Head of Solutions Architecture at Exabeam
With Brexit uncertainty mostly behind us, research indicates that many companies will be rethinking their mergers and acquisitions (M&A) strategy, with 42% of M&A and Capital Market professionals anticipating volume growth in 2020. While information security is top of mind for many enterprises, there is one aspect of corporate activity where it can often get neglected at the very point when the organisation is potentially at its most vulnerable – during M&A.
Any business that has experienced a merger or acquisition, either as an acquirer or the acquired, will be familiar with the dangers. One false step will have a significant impact on share price and may generate long-term reputational damage. But that’s not the only risk.
Competitors may also be poised to take advantage of the fact that, with the board distracted by M&A activities, this is the ideal time to conduct industrial espionage. Alongside targeting research and development (R&D) intelligence, they may also be looking to poach talent at a point when personnel will be insecure about their future job tenure.
Increased security vigilance during M&A activity will be critical for avoiding potentially costly liabilities and losses, and there are four top areas that must be addressed.
1. Undertake rigorous due diligence
Early in the due diligence process, take a deep look under the hood to evaluate the information and cyber security organisation of the target entity. Acquiring a company with poor security processes will have significant repercussions that will prove both pricey and time-consuming to address.
It’s a lesson that Marriott has learned to its cost. When Marriott acquired Starwood in 2016, it failed to undertake sufficient due diligence on the cyber security and data protection systems that were in place. Marriott’s subsequent 2018 discovery that guest records had been hacked resulted in a £99.2 million fine in the UK alone for the violation of GDPR privacy regulations. But it didn’t end there.
Despite having invested significant out-of-budget spend to shore up identified security flaws, in March 2020 Marriott announced yet another data breach. While the 5.2 million guests compromised this time round represented a significant drop on the 500 million impacted by the first attack, the security posture of the hotel group was once again in the spotlight.
As Marriott awaits a punishing round of fines resulting from this latest incident, the long-term cost of the reputational impact to the brand remains to be seen.
2. Execute a unifying information security strategy
With two teams in two organisations potentially taking very divergent approaches to information security, the CISO will need to conduct a detailed evaluation of infrastructure security prior to acquisition.
Following an assessment of all software, systems and architectures to identify high points of vulnerability, establishing a detailed and integrated security and governance strategy that incorporates clear security roles and responsibilities should be the next priority. This means the board will need to ensure the incorporation of both organisations’ security teams is high on the list of ‘to do’ tasks.
As part of this unification process, the CISO’s team will need to quickly identify any poorly documented tools or processes to eliminate issues arising as a result of losing key personnel during the integration phase. For example, expiring certificates will quickly call a halt to web-based businesses or prevent vital remote access.
3. Address insider threats – fast
Once M&A talks become public, staff working in the entity to be acquired may become nervous or disgruntled and, as a result, more disposed to sabotaging assets. In a previous life, I led the integration of Lehman Brothers into several Barclays business units. I had to explain to the board at Barclays that while I couldn’t stop ex-Lehman employees from stealing or deleting data on the Lehman’s network, I could prevent them from accessing Barclays settlement systems and data.
Within a week, we’d isolated users into three groups; those who had accepted an offer, those who had yet to accept an offer, and those who would not be receiving an offer. As a result, we were quickly able to get Lehman’s trading again, using Barclays systems.
While winning hearts and minds and executing a successful integration at speed is important, always assess early on any potential insider threats and take appropriate steps to mitigate against the malicious or accidental loss of customer or other data.
4. Identify cost saving opportunities
Huge efficiency savings can be achieved through the careful alignment of security strategies and approaches across the two organisations. Identifying break clauses in licensing contracts that will open the door to vendor negotiations could pave the way to bigger and more cost-effective deals for the newly merged security organisation. Rather than rushing into these discussions, however, take the opportunity to explore other potential provider alternatives in parallel.
Finally, while managed services may represent an attractive ‘quick fix’ for driving M&A security cost savings, only a well-run organisation can be outsourced successfully. In reality, it may take time for the newly merged security organisation to become efficient and effective.
Closing thoughts – prioritise cybersecurity from the outset
M&A is a difficult balancing act with many moving parts. However, taking on another company means taking on its digital operations – and this can pose potentially deal-altering cybersecurity risks.
Managing information security and cyber issues begins with executing detailed due diligence from the get-go to ensure that inherent and potentially costly risks aren’t overlooked. A strong CISO with a clear plan can add real value to the entire M&A and subsequent integration process, unlocking unexpected potential and performance along the way.
