4 common security issues mergers and acquisitions face

Published on: May 25, 2021

Each year, companies join forces, expand their horizons and reach new heights. It’s easy to focus on the growth and get swept up in a deal, but those engaging in mergers and acquisitions need to be aware of the security risks introduced by expansion. In a world that’s more connected than ever before, it can be hard to keep track of the growing number of security issues mergers face.

A recent cybersecurity report released by Gartner—surveying 2,799 IT and business decision-makers—found that 60% of organizations involved in mergers and acquisitions consider security issues a critical factor, with 62% expressing that cyber risk is their single biggest concern post-merger.

One of the first ways you can mitigate the kind of security issues mergers face is to take a step back and identify where problems arise and why. Broader awareness of the pitfalls you can face regarding cyber threats can help you identify and solve problem areas before issues arise. In this short blog, we will outline four of the common security issues mergers face.

4 common security issues mergers and acquisitions face

1. Deals closing before fully assessing the security of all entities involved

Often the opportunity for a merger or acquisition can be accompanied by a natural sense of urgency. Both sides can be eager to close the deal on favourable terms, and in some cases, this can lead to an absence of due diligence.

Most companies will assess financial statements when merging with or acquiring a new entity, meet stakeholders and conduct various cost-benefit analyses of the opportunity. However, a surprising number of companies fail to achieve appropriate security screenings.

Many companies are unable to conduct a satisfactory security assessment internally and will require external auditors. Audits can cost both time (lengthening the time it takes to close the deal) and money (paying for an adequate audit may be expensive) but will save companies from making a critical mistake.

It can also save them money on the total cost of the merger as security concerns are part of the cost/benefit analysis. For example, suppose it’s clear that the parent company will need to introduce security protocols and standards. In that case, it should be factored into the overall equation so that the merger can arrive at a fair price which accounts for the future cost of bringing lax security standards up to scratch.

Recommended reading: 7 common challenges of financial consolidation

2. Undisclosed data breaches before the merger

undisclosed data breaches

Often this issue is a direct result of companies rushing to close the deal and not spending adequate time and money on proper security assessments. Data breaches are a liability in today’s world and must be disclosed pre-merger. However, there’s plenty of evidence of companies failing to do so.

Perhaps the most famous example of this was Verizon’s discovery of a previous data breach at Yahoo!. An example that resulted in a $350 million price reduction for Verizon and Yahoo!’s requirement to pay $35 million in penalties to settle fraud charges from the U.S. Securities and Exchange Commission, as well as $80 million in lawsuits from irate stakeholders.

3. Human error puts organizations at security risk

In the cybersecurity report released by Gartner (mentioned in the introduction), 51% of companies felt that human error and configuration weakness put security at most risk of a security breach during the merger and acquisition process. Cybersecurity is a growing challenge for companies of all sizes, and a figure like this points to the vulnerability companies face when it comes to protecting data during a merger.

Human error will often arise because each entity uses different technology to perform important reports, store data, and secure financial information. In addition, these systems are often not compatible with each other, resulting in sensitive information being downloaded and transferred through email, spreadsheets and various other means. As a result, it’s not hard to see why a data breach might occur.

Companies hoping to avoid this issue should consider integrating systems that will help them securely connect all entities in one centralized and secure system. For instance, companies using Microsoft Dynamic solutions should consider streamlining this across all entities and implementing integrated software to manage the complexity of multiple entities. In addition, appropriate solutions will allow for more advanced functions like setting up security roles and visibility between entities, i.e., allowing the parent company complete visibility and giving various stakeholders limited access depending on their requirements.

Avoid human error by using the right technology. Although the implementation of such software can seem like an additional cost, it should be factored in early in the merger and acquisition as it will be essential for maintaining adequate security and protecting against data breaches. If you’re curious about what kind of software you will need, check out our blog detailing the features to look for in financial consolidation software.

4. Complying with financial regulations and contractual obligations

Complying with financial regulations and contractual obligations

Compliance with financial regulations around security is one of the biggest challenges facing companies in the acquisition and merger process. Each territory and even industry has different requirements, and companies must prepare to implement stringent standards in line with the regulations which govern them.

For instance, financial institutions in the U.S. are required to implement protections to safeguard financial information and notify regulators in the event of any breaches under the Gramm-Leach-Bliley Act. In addition, the U.S. healthcare industry is subject to similar requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Most industries have similar guidelines, and companies requiring new entities need to meet the requirements of all relevant governing bodies, particularly if entering a new sector or territory. Parent companies should take the time to consider how they will comply with security and data protection laws.

Recommended reading: 8 best practices for financial consolidation

Consolidation best practices - starboard group case study

Subscribe
to our blog updates