Regardless of your acquisition or merger size, you shouldn’t underestimate the importance of a thorough security assessment. Failure to address the risks introduced by lax security practices can lead to companies regretting their investments. A recent cybersecurity report released by Gartner—surveying 2,799 IT and business decision-makers—found that 65% of companies experience regret in a merger and acquisition deal due to security concerns.
Recently we detailed the four common security issues mergers and acquisitions face. Now, we will build on that by providing you with steps to help you assess security risk in mergers and ensure you don’t experience buyer’s remorse.
Whether you’re buying or selling, it’s pertinent that you commit to due diligence to ensure a smooth transition during the merger. Undisclosed security breaches or issues can be costly, resulting in extensive legal battles and hefty fines, all of which can be prevented by simply taking the time to perform a thorough security assessment of all new entities.
1. Make sure to conduct your security assessment pre-merger
Although it may seem like common sense, not all companies take the time to perform a full security assessment before signing the deal. Security assessments are certainly not the most exciting part of closing a deal and are often rushed due to a sense of urgency around closing the deal as quickly as possible. Unfortunately, speed is of the essence in today’s world, and it is often the very reason companies fail to follow through with a thorough security assessment. However, taking the time to assess security risk in mergers before the deal is signed will save both parties countless headaches later on if red flags arise.
2. Identify security risks and standard protections against those threats
Rather than simply looking for security threats, take the time to map out where exactly a company might be at risk. Once you know where threats might occur, you can research the types of data protection which commonly protect against them.
Knowing what security measures are required makes it easier to identify where there may be weak spots in protecting the data—allowing you to accurately determine how much you will need to invest in bringing security up to scratch. Therefore, it’s essential to make a list that considers the industry, reach, and nature of products and services so that you can adequately assess the security measures in place.
3. Conduct a thorough security assessment
Although the list of items to check will differ between industries, there are some assessments that all companies should seek to conduct. Here is a list (that is by no means exhaustive) of the standard ways to assess security risk in mergers:
Check the network system and architecture
You will need to know how data flows between systems and whether or not the company used cloud solutions, third-party applications, or on-premises databases. Once you have a clear picture of how things work, better positioning yourself check for adequate security measures.
Collect insight into how the company gathers and uses personal data and information
Figuring out how a company gathers, stores and uses personal information (particularly highly sensitive information) is crucial to determining whether or not its security measures are sufficient. Look beyond CRM data and consider information provided by third parties and any data used to market or sell the products.
Review all commitments made to customers around security and privacy
Usually, companies will have several privacy and security promises built into their contracts and sometimes even their marketing or website communications. Interested parties must review all of these as part of the security assessment to know if they may need to communicate changes to prevent any future misuse or breach of trust.
Identify where acquirers may require consent to use data
It’s often not as simple as simply acquiring full access to a company’s data post-merger. There may be legal restrictions, and you will need to assess these and the effort required to obtain consent to use personal or private information after the deal.
Check current protections against regulatory and industry standards
You may need to hire an external security assessor to be able to adequately check all current protections against regulations and industry standards, particularly if you’re in an industry that uses highly sensitive information.
Investigate prior security issues and data breaches
It can be tricky to conduct an appropriate investigation without a third party as companies may be unaware of prior incidents. A previous data breach isn’t necessarily a reason to call a halt to the deal. Still, it may result in a reduced price (accounting for the cost of implementing any new security requirements). It’s also essential to identify how a company has previously dealt with any issues that may have arisen. From an acquirer’s perspective, you will want to see proactive management of any such threats.
4. Account for the implementation of any security measures
Acquisitions and mergers often come with hefty price tags, and a thorough security assessment may allow you some extra room for negotiation. The acquirer or parent company will likely bear the cost of implementing protections, which should be reflected in the buying price.
Recommended read: Why you need to worry about post-merger ERP integration now
5. Consider secure cloud-based solutions built for financial consolidation
One of the most significant challenges mergers and acquisitions can face post-merger is the consolidation of financial statements. Transferring the data between systems can lead to costly security breaches, and considering an alternative solution should be part of how you assess security risk in mergers and acquisitions.
The companies involved will likely all have different solutions to manage their resources and accounts. Part of the merger process would be aligning all these to communicate financial data efficiently and securely between entities. Check out our blog on best practices for financial consolidation for more information.
Companies should look for cloud-based solutions with advanced security features like Intrusion Detection and Prevention Systems, data encryption, firewalls, and anti-virus tools. There should also be security role features which allow you to make data visible only to specific users and roles.