Mergers and Acquisitions: Building a Cybersecurity Strategy

Posted by Tyler Ward on Jul 10, 2019 2:51:49 PM

In today’s digital landscape, when performing a merger or acquisition organizations are taking on much more than they realize. Organizations are not only inheriting employees, finances, and practices of the other party—but also the cybersecurity practices (good or bad) and potential cyber risks that come with that.

Yet very few M&A processes measure the cyber-maturity and cyber-risk levels of organizations prior to, and during, the standard M&A due diligence process. This can prove to be a costly mistake that can leave the most secure organizations exposed to unexpected risk, force them to fall out of compliance, and can even result in taking on an active network compromise or, worse yet, a data breach.

To prevent cybersecurity woes related to M&A, we’re sharing some actionable advice around factors to consider, questions to ask, and actions to take.


1. Consider these common cybersecurity factors:

      • Vision and Strategy
      • Leadership
      • Experience
      • Processes
      • Planning
      • Framework and Compliance Alignment
      • Corporate Cultures
      • Transparency
      • Risk Management
      • Loss of High-Performing Employees
      • Lack of Employee Buy-in
      • Growth Targets
      • Synergies
      • Potential Conflicts


2. Ask the following questions:

      • Am I inheriting a compromised network or unsecured information security posture?
      • What new cybersecurity and privacy regulations will I now be subject to?
      • Will I inherit reputation damage based on a data breach from the acquired or merging organization?
      • Will I be able to control the cybersecurity posture of the new enterprise when the merger or acquisition is performed?
      • With the new scope of regulatory and cybersecurity responsibilities, will my current staff and budget be sufficient enough to scale with the new enterprise?
      • Does the poor cybersecurity posture of the acquired or merging organization give me leverage to negotiate a better price?
      • Should I give the acquired or merging company an ultimatum to raise the cybersecurity posture prior to merging or acquiring or deal with it afterwards?
      • What are the potential penalties for acquiring a non-compliant business or division?
      • When was the last cybersecurity assessment performed on the acquired or merging organization and what were the results? And, should I require that they perform a cybersecurity gap assessment as part of the Letter of Intent?
      • Once we acquire or merge, what will our new cybersecurity program entail and cost?

This list of questions includes just some of the top questions that IGI cybersecurity consultants consider when advising on the cybersecurity portions of the M&A process. However, the list goes on and can include lengthy reviews of such metrics to gain a complete understanding of the new risks, alignments, and benefits that come with any business change.


3. Prepare!

So, how can the existing M&A process integrate cybersecurity and information security due diligence processes into the fold?

There are trusted methodologies that simply work for the industry. These same techniques can be applied directly to the M&A process to determine—once merged or acquired—what is the inherited risk and the projected costs associated with the mitigation of identified risks.

IGI consultants leverage industry-trusted techniques to conduct a thorough assessment of both organizations. Taking a structured approach, the IGI cybersecurity employs the following methodology:

      • Choose a trusted set of standards and cybersecurity framework for the organization
      • Conduct a cybersecurity gap analysis
      • Conduct a thorough cybersecurity risk assessment
      • Determine risk levels
      • Determine costs to mitigation
      • Determine potential penalties of non-compliance
      • Formulate cyber-risk mitigation plan

Using this methodology, IGI’s clients can make an informed decision on their merger or acquisition. By delving deep into the risks associated with people, processes, and technologies, IGI consultants paint a clear picture for organizations to make calculated decisions on their M&A process. It is paramount to measure the cybersecurity posture of an organization prior to merging or acquiring, since this could lead into unforeseen costs and regulatory burdens.

By placing the cybersecurity and regulatory posture of organizations under the microscope, businesses can forecast for costs associated with compliance such as PCI, HIPAA, NYS-DFS, SOC, GLBA, GDPR, and more. Furthermore, determining the likelihood for a data breach prior to merging or acquiring could be one of the best investments in your M&A due diligence. Waiting for the M&A process to conclude to measure cybersecurity maturity and regulatory compliance can send organizations into an unnecessary frenzy on top of the known challenges that come with mergers and acquisitions.

Contact IGI today to find out more about our cybersecurity and regulatory expertise in the M&A process and how our consultants can help you to make informed decisions, calculate unforeseen risks, and avoid the potential pitfalls of inheriting a poor cybersecurity posture.


Topics: Cybersecurity, M&A