The Cybersecurity Risks of Mergers and AcquisitionsThursday, February 2nd, 2023
In tough economic times, many businesses go through mergers and acquisitions to improve their financial prospects. However, this process can put organizations’ sensitive data at risk. In this article, we discuss the cybersecurity risks of mergers and acquisitions. According to a report by Forescout, 62 percent of participants agreed that their company faces significant cybersecurity risks by acquiring new companies and expressed that cyber risk is their biggest concern post-acquisition.
Before M&A: Assess Cybersecurity Risk
Even before mergers and acquisitions are announced, it can be a vulnerable time for a company’s data. Leakage of sensitive company data, like confidential financial information, can be catastrophic to negotiations. As a result, this makes companies considering a merger or acquisition highly susceptible to hacking.
Internal threats are also likely to increase. Employees not involved in negotiations may learn about merger talks and have some incentive to leak data to the press or to criminals to stop the process. It is essential to protect all communications relating to merger discussions.
The most significant risk of a merger is not doing cyber due diligence on the company being acquired. Risk analysis needs to be a part of negotiation talks. Most organizations being merged or acquired are smaller, with low levels of sophistication, and may lack mature cybersecurity programs. You need to understand the potential risks your company may be inheriting to prepare to address them properly. Security personnel need to be included in M&A talks to ask the right questions, audit systems, and prepare for integration.
Addressing Risk During Integration
Once a company merges with another, the risks to sensitive data increase. Highly sophisticated threat actors target M&A activities because, with operations in transition, high-value data is often vulnerable.
The Technology Risks of Mergers and Acquisitions
In 2019, the IBM Institute for Business Value surveyed 720 executives responsible for the merger and acquisition functions at acquirer organizations. More than one in three said they experienced data breaches that can be attributed to M&A activity during integration.
IT changes may be extensive and cannot all take place at once. It’s essential to take time to fully understand inherited policies, equipment, and procedures before making rapid changes. Enterprise IT projects take time to plan and complete without disrupting day-to-day operations.
IT teams will deal with a new mix of assets, technologies, processes, and organizational culture during integration. Risks continue to evolve during the initial period of change as they learn more about inherited systems and processes. They may also be overwhelmed by integration tasks integral to day-to-day operations, so that security tasks may be a lower priority. It’s incredibly important to prioritize security and have a well-organized transition to ensure that sensitive data is not exposed.
The Personnel Risks of Mergers and Acquisitions
Changing personnel can also create gaps in your security program. Employees with institutional knowledge may leave the company, meaning crucial processes and procedures must be re-documented and updated. If teams are understaffed in essential areas, they may take shortcuts that leave sensitive data exposed.
Staff burnout and uncertainty from the transition can also lead employees to make mistakes. Phishing and business email compromise threats are prevalent in the early days of a merger or acquisition. People may report to new managers and fall prey to social engineering-style attacks because of their unfamiliarity with new reporting lines and company hierarchy.
It’s important to prioritize security training and update all employees on policies after a merger occurs. Clearing up ambiguity helps to reduce risk and builds trust in the organization.
How to Reduce Cybersecurity Risk During a Merger or Acquisition
Utilizing basic email security features like filtering and message encryption can go a long way to protect sensitive data and limit risks. Whenever confidential information is shared, it should occur through secure or encrypted channels. Leaked information can lead to negative consequences and volatility.
The best way to reduce risk is to plan for it. It’s critical to thoroughly understand the risks you will inherit by merging with or acquiring another company. This should include thoroughly reviewing risk assessments and IT systems and even bringing in a third-party to assess their cybersecurity. The time to find out about these liabilities is before the merger occurs, not on day one.