The Cybersecurity Checklist That Could Save Your M&A Deal
COMMENTARY
Mergers and acquisitions (M&A) activity is making a much-anticipated comeback, soaring in the US by 130% — to the tune of $288 billion. Around the world, M&As are up 56%, to $453 billion, according to data from Dealogic.
When two companies are combined, a vast amount of sensitive data and information is exchanged between them, including financial records, customer information, and intellectual property. Additionally, different types of software and hardware often need to be integrated, which can create security vulnerabilities for cybercriminals to exploit.
Cybersecurity is critical to protect and safeguard the integrity of confidential data and can make or break an M&A deal. Having worked across a range of industries in my career, from banking and finance to healthcare, technology, and government, I’ve witnessed firsthand the cybersecurity challenges associated with managing M&As. Each M&A transaction I’ve been involved with has been far more complex than initially envisioned and took longer than anticipated to complete. This is especially true when it comes to integrating the technology stack.
Understanding Cybersecurity in M&A
Merging with or acquiring a company with a poor cybersecurity posture makes it much easier for cybercriminals to launch an attack. A data breach not only carries severe financial consequences, including legal fees and financial penalties, it also can be extremely damaging to an organization’s reputation.
Without effective prevention and mitigation of cyber-risks, organizations could lose the trust of customers, partners, and investors, jeopardizing the deal. This is why cybersecurity must be a key consideration right from the beginning of the M&A lifecycle — not after it has happened. Regulators are also ramping up scrutiny of M&A deals and issuing significant fines for non-compliance. In many states and countries, rules such as the EU’s General Data Protection Regulation (GDPR) protect personal data when it is transferred between entities.
M&A Cybersecurity Checklist
Leveraging more than 25 years of experience in risk, governance, and cybersecurity, I’ve put together this checklist to help organizations safeguard their digital assets before, during, and after a merger and acquisition:
-
Conduct early due diligence. Both entities must collaborate to assess the target company’s current cybersecurity practices, internal IT infrastructure, and incident history to identify any weaknesses and security vulnerabilities. They might even want to bring in external auditors and cybersecurity experts specializing in M&A transactions.
-
Adopt risk metrics. Before making a plan, both entities must agree on an accepted level of risk and how this risk will be measured. Standardized risk metrics ensure that risk stays within the agreed levels, facilitating communication and collaboration at all levels of leadership in the new organization.
-
Establish a cybersecurity team. Create a dedicated team, bringing together experts from both entities to work together on addressing and managing potential cyber-risks. This will ensure that security practices are consistent across the entire new organization.
-
Develop a risk mitigation strategy. Based on the early assessment, the cybersecurity team can determine what procedures, processes, and technologies must be implemented to enhance the target company’s cybersecurity posture before the entities combine. This plan should also clearly outline company policies and the roles and responsibilities across both entities for managing cybersecurity.
-
Plan for IT integration. Security measures are essential when integrating IT systems and networks. These include reviewing and enhancing current security architecture, implementing security policies, and testing for any security vulnerabilities. Adopting new tools and technologies to safeguard data during the integration process may be necessary.
-
Check for third-party risks. If external vendors are involved in the M&A process, ask them to detail their processes around managing and monitoring cybersecurity risks. The assessment must ensure vendor practices align with the target company’s cybersecurity standards.
-
Establish identity and access governance and management. Implement strong controls so only authorized people can access sensitive information, digital assets, data, or systems — with different access levels depending on roles and responsibilities. This will help prevent or minimize hacking, fraud, internal data breaches, and human error.
-
Create an incident response plan. If a data breach occurs, organizations need a plan to minimize disruption to the business. It’s essential to back up critical databases and store them off of the network to ensure data can still be accessed. The incident response plan should be printed out or distributed among staff so everyone knows what to do during a cyberattack.
-
Ensure ongoing monitoring. Cybersecurity doesn’t end when the deal closes, and the post-M&A period can be a particularly vulnerable time for companies — so it’s essential to be vigilant. That’s why organizations need mechanisms for continuous 24/7 monitoring of systems and networks and real-time threat detection to identify security vulnerabilities and potential breaches.
-
Train employees. Ensure all employees of both entities involved in the merger or acquisition receive comprehensive and regular training about cybersecurity best practices. It’s vital to communicate that each person can help play a part by watching out for threats and promptly reporting them. Consider conducting cybersecurity drills to prepare staff for what a cyberattack might look like.