When two organizations join forces in a merger or acquisition, the acquiring organization inherits countless risks associated with cybersecurity. Transferring and consolidating systems, tools, technology, and completing a full integration of people and processes takes time – and during this transition phase, there’s a great deal of exposure as the transition takes place.
On the business side, the company needs to focus on completing the integration as quickly and seamlessly as possible to ensure business continuity as the newly combined organization starts moving forward. But from a cybersecurity perspective, it’s easy to overlook or neglect important areas. One gateway becomes two. Access points multiply. When the doors are open, who else can sneak inside during this highly vulnerable transition period?
There have also been countless examples of public breaches where an acquired organization was already compromised – and the acquiring company did not discover the intruders in the early implementation stages, opening their broader organization up to the same risk exposure. Research shows 40 percent of acquiring companies have discovered a cybersecurity issue when integrating the acquired organization. It’s paramount for companies involved in M&A to ensure hackers haven’t already infiltrated either organization’s networks, applications, or supply chains to prevent a disastrous, widespread attack on the newly formed business.
For companies acquiring or merging with another organization, it’s crucial to conduct due diligence from a cyber risk perspective. Here are four steps every security team should have on its M&A cyber risk checklist:
- Gain a full understanding of both businesses.
Every company can play a role in reducing (or increasing) cybersecurity risk during a merger or acquisition. The first step on the checklist: Security teams need to gain a deep understanding of both businesses. What’s the scope of each technology environment – from data storage and cloud providers to applications and investments in AI or ML capabilities? What about physical locations of the technology and IT infrastructure? How many employees work for the company, and where are they based (and how many are currently remote)? The foundational knowledge gained in this initial step lets security teams make informed, accurate decisions when preparing for the integration.
- Identify and prioritize the risks.
Once the acquiring company understands both businesses, identify the risks. How well can each organization withstand and identify an insider threat? Is there a plan in place for disaster recovery? Are there any physical security concerns that could create cyber vulnerabilities? It’s also important to analyze how each company interacts and connects with its suppliers. How do the companies manage access, and who from inside (and outside) the organization has access to valuable data and information? Laying out all the risks and scenarios ahead of time creates an opportunity to resolve issues, and plan for every possible occurrence. It’s also critical to prioritize these risks based on criticality and potential loss to the business. That way there are no surprises, and the security team can minimize any damage.
- Create a roadmap to remediate risk and close the security gaps.
Once risks have been identified, it’s time to figure out how to reduce them. If the supply chain or partners are a risk, what can the security team do to ensure data traveling back and forth between these third parties stays secure? If too many employees have access to sensitive information, what can the team do to re-evaluate that list and update privileges? Is there a way to set up network segmentation during the M&A transition period to ensure any “openings” are limited and prevent hackers from navigating across the network? Close the security gaps – and by outlining a clear roadmap to address each – companies ensure there aren’t already hackers lurking, and keep any others from finding their way in.
- Execute the mergers and acquisitions plan.
Activate the M&A transition. Integrating both organizations’ employees, their services, and existing technology investments takes time, but in this instance, doing it properly and with minimal risk will benefit the company long-term. It’s important in this stage to communicate cyber awareness to executives. While they might want to push forward with the newly formed business, the negative consequences of a breach aren’t worth it.
Cybersecurity plays a pivotal role in enterprise risk management. As two organizations become one, there are many factors that can create opportunities for cyberattacks. By reducing the risk from this digital transition, and vetting each business to ensure there aren’t any threats already inside the walls, cybersecurity teams can help their organizations ensure a smooth M&A integration. With the upfront work done correctly and the door to cyber risk slammed shut, the new company will put itself in a strong position to meet its business goals.
Dave Cronin, vice president of cybersecurity services, Capgemini North America