Mergers & Acquisitions: Keeping Security In Sight
Studies indicate that mergers fail more often than marriages. Divorce rates in North America hover between 40 percent and 50 percent, and the figure for unsuccessful mergers is between an alarming 70 percent and 90 percent.
The itch to compare mergers with marriages is undeniable, because all too often the similarities are too many to ignore. Two independent entities integrating in a, possibly, win-win arrangement to, hopefully, spend the rest of their lives together. The resemblance is very strong if one were to analyze key aspects like the effort, emotion, pain, and, at times, joy. A glaring similarity, though, between mergers and marriages is the fact that they don’t always lead to a happy ending.
Companies involved in a merger hope for a smooth transaction. The buyer wants to be certain of what is being bought to avoid a costly mistake. The seller wants to have a graceful close to transactions and establish a good rapport with the buyer. To ensure this, a number of due diligence and groundwork efforts are employed prior to the completion of the merger.
Despite the amount of time, money, and effort that goes behind this pre-merger groundwork, however unanticipated problems often still emerge. As an example, when the LexisNexis Group decided to acquire Seisint, Inc.2, one would have expected that a transaction involving $775 million in cash would be money spent wisely. However, what ensued was the theft of personal records of more than 310,000 individuals3.
Time and again, merged entities have found themselves at the receiving end of wrath from the information security gods. When that dust settles down, the regulators come knocking.
If you were to consider the nature of mergers and acquisitions, the strongest explanation for the rampant failure rate lies in the too-often poor quality of the pre-merger groundwork.
The fact is that a merger or an acquisition ultimately leads to two entities combining into one. One really can’t recollect an instance where such an occurrence happens without any hindrance. Even countries that merged to form one, as in the cases of Germany or Tanzania, did not do so without their fair share of problems.
Given the critical and sensitive matters involved in merging entities, pre-merger groundwork should be all-inclusive and consider every single aspect of the merger that could possibly impact the operations of the merged entity. Quite understandably, the financials surrounding the deal are exceedingly important. Among the other aspects, information security often takes a backseat, especially when the stakes are high and negotiations are in full flow. However, when information security is ignored, the result can be potentially fatal consequences for the futures of both entities involved.
Information Security: Not An On-Off Switch
Information security does not happen by default, especially when two different companies with their own technical and organizational infrastructures plan to merge into one. It is, in fact, a formidable challenge that must be addressed . If information security is not handled well, the risk exposure of the merged entity increases and leaves the new entity vulnerable like a ticking time bomb, waiting to explode.
Contrary to what top-tier management sometimes believes, information security does not “fall into place” when a merger is completed. Ignoring information security at the onset of a possible merger or acquisition is like ignoring the fact that your future spouse cannot stand the sight of meat while you think that omelets are actually vegetarian.
Hackers On The Prowl
When news of a merger or an acquisition is circulating, hackers pay attention. As a result, companies often experience increased vulnerability scans and probes at such times. Social engineering attacks and scams, including phishing and vishing, gain momentum. Heightened tension and fear amidst employees regarding their future sometimes leads to disgruntlement and an increased risk of the insider threat. An integration of two or more companies into one is an information security managers’ worst nightmare and a hackers’ dream come true.
At such times, information security managers are often left with little understanding from management, along with restrained budgets, serious integration challenges, and a dwindling faith in the light at the end of the tunnel.
The Merger Handbook
Information security should be high up on the priority list right from the planning stages of an impending merger or acquisition. If attention is paid early early, protection efforts can be ramped up to ensure that no security incidents are encountered in the build-up to a possible merger or acquisition. Information security should continue to be a key part of pre-merger groundwork as well as post-merger efforts. If information security is a part of the merger life cycle as a whole, the risk of exposure is greatly reduced.
The life cycle followed by a merger is highly complex. When considering information security, it is critical to consider all possible aspects that could have an impact on post-merger operations. Some of the key aspects to keep in mind include:
The top tiers of management must consider information security as a key enabler of the entire integration process and of critical importance. Unless this is the case, information security will always become secondary during a merger or acquisition.
Involve the Information Security Department
The step that logically follows management support is the involvement of key members of the information security department. This involvement should begin as soon as a merger or acquisition is considered. The team that performs the pre-merger groundwork should include at least one key member of the information security department to analyze and assess the critical information assets of the organizations that will be merged and the security measures each currently has in place for protection. In addition, this information security members should be on alert to assess potential impacts on information security of all management decisions throughout the process.
Investment in merger-related information security steps will be more than compensated in the post-merger operations as losses avoided. Furthermore, investing the time up front to smoothly merge the information security operations of the two organizations will reduce the bumps and headaches—and costs–that will be faced down the road if a haphazard approach is applied.
Technical Security Assessments
A special assessment team should be created to perform comprehensive security assessments of the organizations to be merged. The main objective of this team is to ensure that both organizations have adequate security measures and protection mechanisms in place to uphold the confidentiality, integrity, and availability of critical organizational information, including but not limited to customer information. Pay special attention to data communication, retention, and destruction. Vulnerability assessments, comprehensive penetration tests, war dialing, war driving, social engineering engagements, and comprehensive audits are essential at this stage. Risk assessments can go a long way in identifying and prioritizing critical components of both organizations.
Technical security assessments should consider aspects of both logical security as well as physical security. Too often, physical security is either ignored or overlooked and can have disastrous consequences. The assessment team should also study the network topologies of both organizations to identify key data entry and exit points. The technical infrastructures of both organizations must be meticulously analyzed to observe dependencies and possible compatibility issues.
Organizational Security Assessments
The assessment team should check the information security policies and procedures of both organizations including those relevant to disaster recovery and business continuity. The incident response plans also form a part of these organizational security assessments. Aligning the business continuity plans and incident response plans of both organizations is very important to ensure that contingencies and incidents are dealt with uniformly after the merger.
Ensure that both organizations have tested these plans periodically and updated them on an ongoing basis. Change management practices followed by both organizations also need to be reviewed. The key thing to remember in organizational security assessments is that two cultures will be ultimately merged. The challenge is to identify and document potential problems that could ensue in the process.
Third Party Providers
Always remember to include key third party elements in pre-merger analyses. Perform a detailed analysis of insurance policies, collocation contracts, maintenance agreements, and other third party vendor contracts. Ensure that all third parties connected to both organizations are carefully reviewed to evaluate how they might impact the overall risk environment of the merged operations. A good question to ask third party providers is whether their policies, procedures, and recovery objectives match up with the overall business goals of the merged entity. Information security assurances from third party providers can be obtained in the form of SAS 70 reviews or audits of their infrastructures.
There are often instances where the acquired organization has better security measures and plans in place compared to the acquiring organization. In such cases, it is important to keep an open mind and be willing to adopt what will be most beneficial for the entity after the merger.
With all the above assessments performed, the assessment team must sit down to create an action plan on how the organizations will be integrated effectively. This action plan must culminate into a formal information security governance model with detailed steps outlined in a formal report. The report should then be presented to top-tier management for approval.
Efficient problem management during the acquisition process time is important to address issues as they arise and keep the process on track.
Enable a problem management and reporting system that ensures a proper chain of command. A problem management team should be instated for quick identification and resolution of the problem. This team will also have the responsibility to ensure that communications are timely, concise, and fast during such times and include all affected units. Once a problem is dealt with, the team should analyze the entire problem management cycle to create a report that includes lessons learned and actions to prevent a recurrence of such a problem.
While managing the attitudes of employees towards information security is not a one-day task, it gains much more significance during an impeding merger or acquisition. The people of an organization have often proved to be the weakest link in information security. Imbibing a responsible attitude towards information security among the people of the organizations is critical.
When old policies, procedures, and practices give way to new ones, employees need to be fully sold on the need for the new ones and how they will help take the organization forward. These ideas and issues must be communicated to employees.
Training programs directed at both technical and non-technical employees from both organizations will ensure effective attitude management. These programs should be highly focused and to-the-point in order to drive key messages home. A long and tiring training program is unlikely to have a desirable impact. A merger or acquisition will be much less painful if it is presented as an integration of people as opposed to that of companies. The people are what will make or break the organization.
Merge Your Way To Success
Mergers and acquisitions have often witnessed heavy investments of time, money, and effort. These are high-involvement investments that aim to take the organization forward and make it more competitive. Keeping information security top-of-mind is fundamental to ensuring that this investment succeeds.
Turn your employees into a human firewall with our innovative Security Awareness Training.
Our e-learning modules take the boring out of security training.
Get a curated briefing of the week's biggest cyber news every Friday.
Intelligence and Insights