Breach, Data Security, Incident Response, TDR

Financial industry “fire sale” economy: Protecting data during M&A

Today's financial climate is fueling a wave of mergers and acquisitions, particularly among financial institutions. With an infusion of fresh cash from the federal government, we are likely to see an increase of weaker banks acquired by larger institutions. This “fire sale” economy, with purchases on the cheap, provides little time for due diligence and difficulty for the acquiring company to control and take an inventory of physical assets as well as understand and protect the sensitive data on multiple systems.

Financial organizations use and retain a massive amount of regulated and sensitive data that can sit on a file server, a laptop or other device. In order to secure their investment, purchasing organizations must quickly take inventory of the acquired company's information assets, gain visibility into where these assets are stored, who has access to them, and make sure they are secure.

There are several steps financial institutions can take to protect their newly acquired data:

  • Monitor business communications for sensitive data – This should be a first step following an acquisition. In an M&A situation, a lot of confidential data is exchanged between law firms, auditors and human resources. Furthermore, fear and uncertainty can lead to good employees making bad decisions. From the onset, organizations need to monitor the communication channels to see what data is being sent, where it's going and who is sending it.
  • Discover information assets – Data discovery provides an inventory of the data stored and can alert managers to data that is “at risk” of being lost. When data is discovered, you gain visibility into the organizations assets (M&A documents, source code and patent information) and ability to classify them.
  • Implement policy controls to secure sensitive data – Setting policy controls around data, employees and communication channels allows organizations to send data wherever it needs to go, safely, while enabling business. For example, in a legal situation, policies could be set to automatically encrypt emails between each organization's lawyer. Setting these controls can manage who can send what data, where they can send it and how.

David Meizlik is a senior manager for data security solutions at Websense, a security software company. Find out more on his data protection blog.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.