Companies continue to pursue mergers and acquisitions (M&A) to eliminate competition, diversify product offerings, achieve economies of scale, access unique capabilities, and penetrate new customer segments. In fact, just a recent survey by the global consulting giant PwC, which polled more than 900 global Chief Financial Officers, revealed that M&A would feature in companies’ COVID-19 recovery strategies. A quarter of respondents said they would use M&A to rebuild or enhance their company’s revenue streams.
However, integrating two or more organizations—each with thousands of applications and infrastructure components managed by different network administrators and configured to different standards—only further complicates the M&A process.
Consider the case of Marriott’s acquisition of Starwood Hotels Group. On November 30, 2018, Marriott International announced that approximately 500 million of its customer records had been compromised, in what became one of the largest data breaches in history. According to media reports, hackers accessed the guest reservation database of Starwood—the rival hotel group Marriott acquired in 2015—as early as 2014 but was only discovered in 2018.
Given what’s at stake, regulators had also weighed in the Marriott’s data breach case. United Kingdom (UK) Information Commissioner Elizabeth Denham underscored the importance of due diligence when making corporate acquisitions and proper accountability measures to assess not only what personal data was acquired, but how it was protected. The UK Office had ordered the United States (US)-based Marriott to pay £99.2m for breaking the European Union's General Data Protection Regulation, a set of strict laws designed to protect private user information.
M&A cybersecurity is a corporate concern that boards of combining companies must consider in meeting their fiduciary duty to their shareholders. The cybersecurity, privacy, and data protection landscape must be reviewed, and any toxic combination identified in the M&A. In the sections that follow, we recommend some M&A cybersecurity strategies proven to increase the success rate of M&A deals.
M&A cybersecurity is not at a standstill
Considering cybersecurity in the negotiation means freedom from cyber insecurities—leaked information, insider dealing, theft of intellectual property by disgruntled employees, conflicting approaches, and out-of-control operations, among others. Ultimately, M&A cybersecurity means executives can sleep worry-free from cyber risks, contagions, and exploits that bring about legal ramifications like heavy penalties and fines.
Cybersecurity legislation is constantly changing. In M&As, it’s vitally important to understand first the scope and regional applicability of security and privacy laws. To do this effectively, you must:
- Prepare ahead and take a risk-based approach for each company undergoing M&A.
- Focus heavily on cybersecurity awareness for both companies, specifically high-risk groups such as the board, systems administrators, and anyone handling highly sensitive information.
- Determine compliance with relevant security compliance frameworks, such as the National Institute of Standards and Technology, Payment Card Industry Data Security Standard, International Organization for Standardization's 27001 certification, etc.
- Promote active collaboration between the cybersecurity and legal teams.
- Identify and map regional, national, and subnational cyber rules wherever the merging businesses operate.
- Develop, update, and socialize clear-cut cybersecurity policies and governance frameworks.
- Map supply chain risks for both companies from the outset, determine gaps, and develop a strategy to bring this within appetite. Most companies rely heavily on third-party vendors to help them meet both their contractual obligations and consumer demand. This reliance is not without risks, including possible legal violations because of intensified enforcement of regulations, especially due to increased global footprint.
- Regularly test and update assessments, safeguards, and protocols before and after the M&A.
Ensuring M&A cybersecurity before, during, and after the deal increases business value in areas of revenue and customer satisfaction, as well as lowers down costs. To do this, control measures at all phases of the negotiation are necessary to prevent unwanted liabilities while driving revenue opportunities.
Phase 1: Pre-announcement and initial due diligence
This stage begins by asking the following key questions that will help in assessing the maturity and strengths and weaknesses of the companies undergoing M&A from a security perspective:
- Do the companies have a Chief Information Security Officer (CISO) responsible and accountable to the Chief Executive Officer and board of directors?
- Who are the key people dealing with sensitive information? Are they fully aware of the security protocols they should be following?
- Do these teams have the right tools to protect sensitive information, such as encryption of data in transit and at rest?
- Does the target organization have a compliance and security governance committee? If so, have the charter, membership, cybersecurity key performance indicators, and information risk management processes been reviewed to ascertain their comprehensiveness?
- What are the existing security compliance certificates?
- Is there a code of conduct that provides expected workforce behavior and responsibilities related to data security? If so, does it describe sanctions for non-compliance?
- Is there a formal program for managing third-party service providers? If so, have recent revisions been made to accommodate any new regulation and supply chain risk?
- Can the impact of insider threats and data leaks be minimized by identifying key insider-related risks and increased monitoring pre- and post-merger?
- Have recent assessments or audits been conducted on compliance, data security programs, or both? If so, are remediation activities underway to close any gap?
- Have copies of cyber insurance policies been obtained and reviewed? Can the company ensure against any unmitigated cyber risks?
- Are there potential cybersecurity centers of excellence that can be exploited?
- How can changes in threat profiles and known vulnerabilities that will affect the merged organizations' reputation be immediately identified?
- Are there existing initiatives or projects that should be put on hold due to the merged organizations' combined capabilities?
- How will the new executives, board members, and operations respond to a major cybersecurity breach?
- What can be included in a customer and partner outreach program, for example, a roundtable with a client's CISOs, to build confidence and maintain trust?
Phase 2: Before the definitive agreement
The intention is to ratify the initial target model and understand what may impact the M&A from all sides. We recommend the following actions:
- Articulate information and cyber risk in a formal company register, notify the board of directors, and provide risk treatment planning advice.
- Review governance or oversight committee meeting minutes and attachments to verify adherence to charter, agendas, and documented risk management processes.
- Review corporate governance charters and ensure that cybersecurity is included in the revised audit or risk charter or both.
- Cross-check policies and procedures to regulations to ensure complete compliance and easier integration of the companies.
- Review training materials to ensure that only those jobs that require access to sensitive information will have permission.
- Find out the "crown jewels" (mission-critical assets) of the companies as security measures will need to be focused on these assets first. Consider what levels of encryption are applied to personally identifiable information.
- Review policies and procedures in reporting complaints, major cybersecurity incidents or privacy violations, and major breach assessments or notifications.
- Review cyber resilience and business continuity and disaster recovery plans—the critical systems, who are the decision-makers, and the communication hierarchy in crisis management.
- Request an inventory of service providers with information about the services they provide; minimum information shared; due diligence conducted in hiring their services; security incident notification requirements; and replacement vendors for critical services.
Phase 3: After signing the agreement and integration
This stage involves detailed work to align with the plan. Some of the must-do activities include:
- Review all documented activities to test business continuity, disaster recovery, and emergency cyber resilience plans. Build a cyber crisis management playbook (a subset of crisis management) and agree on table-top exercises with operations and executive teams across the merged companies.
- Review information risk management processes, including prior risk assessment decisions to assess risk tolerance.
- Review logs and other documentation about major security incidents, privacy violations, complaints, breach risk assessments and conclusions, notification plans, and previous activities (if any).
- Begin running enterprise-wide information and cyber risk assessment covering crown jewels, primary physical locations, security standard scores or benchmarks, and risk profiles of executives and key support staff.
- Request details of any reported breach, regulatory investigation, or audit.
- Request copies of compliance and security attestations, assessments, or audits from high-risk service providers.
- Audit the adherence to procedures that establish, modify, or terminate access to sensitive information.
- Review remediation activities from recent compliance and data security audits or assessments and completion timeline for ongoing audits.
In all the M&A stages, you must pay special attention to senior executives directly involved in the process.
M&A cybersecurity keeps executives on the hook
As security awareness is a top priority for all employees in the M&A process, special attention is required to be paid to senior business leaders directly involved in the negotiations. You must assess their demonstrated security behaviors to understand if there's a need for them to act differently and securely. Their connections—and the business risks they might pose—must also be reviewed. Their cyber risk profiles must be constantly monitored for changes.
The clear lesson from the significant rise of security incidents worldwide is that people matter as much as, if not more than, technology. Of all these security incidents, 95% involve human error—they are successful security attacks from external attackers who prey on human weakness to lure insiders in providing them with access to sensitive information. Due to the urgency that often surrounds M&A transactions, companies rarely have time to assess culture concerning security during due diligence.
Tech piece creates a false sense of security
As Admiral Mike Rogers of the US Cyber Command has said: "It’s about culture—how you man, train, and equip your organization, how you structure it, the operational concepts that you apply. We have to get beyond focusing on just the tech piece."
Instituting a risk-aware culture program in the integration, with clear objectives and measurable business results, can help reduce security-related incidents that may undermine the deal and hurt the companies' brand in the long term. Security awareness program owners should continue and extend some training to high-risk teams, such as the executive leadership and human resource departments. The risk-aware culture topic should be included in the agenda of regular steering committee meetings.
When companies merge, the combined security leadership also assumes they should retain each other's leading cultural attributes. However, cultural strengths are sometimes incompatible; hence, it's important to create a shared vision and apply this consistently from the top-down. Building and nurturing a culture of high reliability will require the executives and board's personal attention and substantial investments in training and oversight.
Since culture issues seldom stop proposals, business leaders should ensure that the importance of developing and maintaining a risk-aware culture is raised. CISOs play an important role in enabling the merged organizations' security objectives into its fabric and avoid perpetual recovery.
CISOs: The M&A cybersecurity enablers
Bringing together the CISOs will save executives of merging and acquiring companies a lot of pains, especially in preserving the trust and goodwill that each company has acquired in their previous niches. An enterprise security architecture delivered as a strategic business toolset enabled by the CISOs will create a competitive value for the merged organizations.
The key challenges the CISOs will need to address include duplication between the entities, the introduction of a new consumer identity to the other company, integration velocity, and uncertainties ahead of due diligence.
But an appropriately aligned enterprise security architecture will:
- Have a business-aligned cybersecurity strategy that will help articulate the bigger picture and set an understanding for the merged organizations. This will encourage them to leverage security capabilities to manage strategic risks and create a competitive advantage in the industry and market.
- Provide relevant and appropriate guidance and governance input.
- Develop and deploy new business solutions, ensuring that the merged businesses’ environment keeps its integrity and remains safe and secure through the change.
- Enable identification and remediation of current risks and issues, enabling the merged businesses to operate within acceptable tolerance limits of their risk appetite.
Other opportunities that an enterprise security architecture can bring include:
- Elimination of duplicate security centers of excellence between the two organizations, while at the same time leveraging one.
- Reduction of upfront costs (made possible by security segmentation) and serious data breaches (because defenses are focused on crown jewels).
- Leveraged security assets, expertise, resources, and best practices across the enlarged organization.
- Proper dealing with "cloud as service".
- Leveraged cyber capabilities, such as threat intelligence, prevention, and detection, as well as incident response capabilities.
- Merger-focused security programs that optimize efforts and identify cost savings, reducing delivery time and cost.
- Possible use of cybersecurity products and services, such as consulting and indices.
When done right, embedding cybersecurity throughout the M&A process will greatly increase the likelihood of its success, decrease the chance of protracted legal fights, and accelerate the cyber resilience posture of the merged entities.
Want to read more about this CISO game plan? Download for free our CISO Playbook: Mergers and Acquisitions, and other playbooks in the series.
Learn more about the art of executive influencing only from our industry-leading CISOs. Inquire about the Cyber Leadership Program for cybersecurity professionals and CISOs today.
CISO Playbook: Mergers and Acquisitions - Balancing cybersecurity risk and business opportunity during mergers and acquisitions
This CISO Playbook serves as a complete set of end-to-end strategic considerations (beyond technology considerations), to address cyber security, information risk and business driven security opportunity during mergers and acquisitions. It has been designed to help CISOs protect and unlock value before, during and after the transaction.
Please add your details below to download the CISO Playbook: Mergers and Acquisitions - Balancing cybersecurity risk and business opportunity during mergers and acquisitions and sign up for Free membership of the Cyber Leadership Institute.
Phil is an experienced head of cybersecurity, strategic advisor, author, and public speaker. He is the Amazon best selling author of The Five Anchors of Cyber Leadership, a practical cyber strategy book for senior business leaders. 2017 winner of ISACA International’s Michael Cangemi Best Book/Article Award, for major contributions in the field of IS Audit, control and security.