Mergers & Acquisitions - 6 Cyber Security Issues You Must Consider
Mergers and acquisitions (M&A) are a way of life for many organisations. More than 40% of acquiring companies engaged in a merger and acquisition transaction said they discovered a cyber security problem during the post-acquisition integration.
The Marriott brand took a massive hit post acquisition with a breech that impacted 300 million guests. Hackers went after the Starwood reservation system and accessed guest data. Marriott had acquired Starwood one year earlier.
Here are 6 cyber security issues you must consider when undertaking an M&A -
Threat Profile – In any M&A the threat profile of the organisation will change. The scope of your core services may expand in terms of client base or geography – you have become a bigger target for attackers. The sensitivity of data you are processing may change, will your brand now be processing credit card information? – In which case you become a more lucrative target for attacker.
Is the target processing different sensitive personal data? What’s the value of this data to attackers? Who would want to gain access to this new data? Where is the data?
Legal Profile – Your legal profile will change. If you are providing new services in new jurisdictions processing different information, the legalisation, regulation and client expectations will be different. Are you now providing financial services in Luxembourg and subject to CSSF cloud security regulations? Do you now have staff in Amsterdam who’s Works Council would need to be involved in any policy changes?
What additional data protection and privacy legalisation is the target M&A subject to? How compliant is the target MA& in compliance?
Due Diligence – You need to undertake due diligence on the potential target. Asking some basic questions up front to understand what you are taking on and will determine you level of involvement of the M&A going forward. Once the M&A conversation progresses and the time is right, a full information security due diligence needs to be undertaken – if you treating the potential M&A in the same way as a critical supplier you won’t go far wrong.
What information security governance is in place? What technical security measures are in place? Are they adequate and effective? Has the target been impacted by any significant security breaches?
Post contract signing you would need to support the following key activities ….
Policy Alignment – Bench-marking which organisation has the most adequate and effective policy and standards. Supporting any business unit in alignment to the agreed policy and standard.
Technology Alignment – Bench-marking which organisation has the most adequate and effective security technology. Supporting any business unit in alignment to the agreed enterprise security architecture.
People Alignment – Reviewing information security team structure, function and reporting lines. All ensuring you get maximum value from your new acquisition, ensuring any changes land in a positive way.
Questions your C-Suite should ask your CISO – How are you supporting our M&A’s activities? Do you feel you are appropriately involved at the right times?