The number of mergers and acquisitions (M&As) has been trending upward since the Great Recession, and research by the Institute for Mergers, Acquisitions, and Alliances (IMAA) shows it was at its peak in the last few years. That means thousands of firms are consolidating critical business and client data, a colossal task that requires the utmost preparation and care. As you can imagine, there are several ways this can go wrong. To avoid any unfavorable outcomes, firms undertaking or preparing for an M&A should understand (and act to mitigate) the cybersecurity risks involved.
To set the scene, let’s start by examining the digital landscape. The amount of data breaches has been on the rise, and cybersecurity professionals are in short supply. This makes it a challenge for firms to develop sound security practices, M&A or not. The financial, legal, and reputational implications of absorbing another firm’s cybersecurity failures can result in unforeseen, devastating, and — many times — unintentional consequences. For firms dealing with an M&A, experts recommend hiring a third-party to assess the compatibility of the acquiring firm’s framework and the acquired firm’s market. It’s also paramount to utilize project managers who focus specifically on security and “code red” plans. The sophistication of a firm’s cybersecurity practices can make or break a deal.
When a merger or an acquisition takes place, the parent company deploys resources to assess the current IT and security practices of the firm it’s acquiring. In recent years, cybersecurity has become one of the most important aspects of due diligence because criminals commonly pounce on M&As. (After all, M&As make firms and their data vulnerable.) According to cybersecurity company Agari, there’s an uptick of “spear phishing and email spoof attacks during the … process.” Hackers take advantage of the transition and find all sorts of ways to access internal systems. An unfortunately all-too-common scenario occurs when scammers take on the identities of key employees and dupe staff members into revealing sensitive information. Here are other cybersecurity risks associated with M&As:
- Physical security: This relates to keeping the physical components (monitors, phones, etc.) on a locked location.
- Digital security measures: Your IT department should check for the following: how data is stored, how often it’s backed up, and how it’s recovered if systems go down.
- Application security: This refers to application penetration testing and mobile application security when companies integrate internal tools and more.
- Network security: Make sure you patch security vulnerabilities as they relate to network devices, web servers, and remote connectivity requirements.
- Architectural risk analysis: It’s important to look at infrastructure components and ensure their designs integrate without any flaws.
- Internal policies: The buyer should roll out company standards to new employees and update the whole company on any changes brought on by the M&A.
- External regulatory standards: As always, complying with legal requirements should be a top priority.
When it comes to an M&A, there’s no doubt the secure exchange of firm data is crucial to the deal’s success. It’s in the best interest of both parties to ensure they handle it properly before, during, and after the merge. The financial, legal, and reputational consequences of a data breach are too perilous not to take seriously.