6 M&A Security Tips
Companies are realizing that the security posture of an acquired organization should be considered as part of their due diligence process.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt08867b5567e58a52/64f0d5942e2a132a99ce5b3f/CoverArtSlide1.jpg?width=700&auto=webp&quality=80&disable=upscale)
There’s a growing sense that companies need to take a closer look at security when considering a merger or acquisition.
A global survey of dealmakers by Mandiant, a FireEye company, found that 78% of respondents believe that cybersecurity is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.
"Although most security teams feel strongly that the security posture of an acquired organization should be considered in an acquisition decision, it often does not play a significant role in the deal team's due diligence process," says Charles Carmakal, vice president and CTO of strategic services at Mandiant. "The reality is that security generally only plays a role during the acquisition if there's a significant breach. In that situation, the security team would evaluate if the asset is too toxic and has lost value."
Chad Holmes, chief services and operations officer at Optiv, adds that cybersecurity has risen in importance because many more companies are acquiring digital assets as part of their digital transformation initiatives. He cited a a study from Capgemini Consulting that finds 87% believe that digital transformation gives them a competitive advantage.
We talked with Carmakal and Holmes to develop this list of M&A security tips. For more information, check out the Mandiant study, "The Benefits of Cybersecurity Diligence in Mergers and Acquisitions."
Typically there's a deal team and an integration team; the cybersecurity group works as part of the latter. However, the deal team could miss simple things, such as vulnerabilities, to more serious situations, such as not realizing that the new company's intellectual property had been stolen.
In most situations, security pros learn about an acquisition fairly late in the process, and their input focuses on how the parent company can securely integrate the acquired business to the corporate network. They most often perform a quick paper-based interview review of security controls, asking questions like: Is there a firewall? What kind of security monitoring does the acquired company have in place? What is the governance structure?
But, along with the paper-based interview, more mature companies that bring on the security team early on will do an assessment to find out whether compromises have occurred in the past. They also will do a penetration test, with the main goal to find out how easy or hard it is to break into the network.
It's the job of the parent company in an acquisition deal to collect the new digital assets and put them in a secure database. This can include new software, mobile applications, infrastructure, and/or software and hardware. From there, the security team needs to put these assets in a centralized database and assign them a risk score. This process should give them insight on risk and whether the new assets had been compromised in the past.
So many of the most prolific data breaches took place through vulnerabilities among third parties. Both the Target breach and the intrusion into the federal government's Office of Personnel Management come to mind. Companies must assess the risk third parties introduce and then do risk profiling.
Risk profiling in this context refers to assessing third-party relationships, Optiv's Holmes says. "So a company that you are acquiring also likely outsources key business functions to a third-party vendor," he explains. "You need to not only do due diligence on the company itself, but understand and/or have processes in place for managing third-party risks posed to the organization. This is one important facet of risk profiling, basically defining the risk that organizations possess."
Most large companies have governance procedures fairly well-established. But it's not as clear that small and midsized companies have such processes in place. They need to be centered around software development controls around the acquired technology, plus how the company will introduce the new technology into its ecosystem and maintain compliance. In many cases, the compliance procedures are generally understood, but they still must be managed.
For example, Optiv's Holmes said, if a large healthcare company acquires a yoga studio that does point-of-sale transactions, both the healthcare organization and the studio could be bound to new, different sets of regulations that they may not have been prior to the transaction. "When the IT teams do those integrations, introducing new technologies and procedures into the environment, they need to make sure they maintain compliance, such as PCI," Holmes says. "While those requirements are broadly understood, they still must be managed/governed. Companies should not overlook compliance, even though it's a pretty understood and standard activity."
Companies going through an acquisition should at the very least have the security team do a session with the security staff from the acquired company so they understand the parent company's security perspective. The teams should meet and exchange information on their approaches to security. In some situations, the acquired company has better controls, so some of those polices should be integrated into the parent company. It often takes several meetings to work out which processes will ultimately be adopted.
Companies must decide whether the new acquisition will operate as a separate unit or be fully integrated into the company. Most security groups will start off isolating the new group under the Zero Trust Model and run it that way for several months. Much depends on branding decisions made by the parent company, but these issues must be worked out and top management needs to consider security in its plans.
Companies must decide whether the new acquisition will operate as a separate unit or be fully integrated into the company. Most security groups will start off isolating the new group under the Zero Trust Model and run it that way for several months. Much depends on branding decisions made by the parent company, but these issues must be worked out and top management needs to consider security in its plans.
There’s a growing sense that companies need to take a closer look at security when considering a merger or acquisition.
A global survey of dealmakers by Mandiant, a FireEye company, found that 78% of respondents believe that cybersecurity is not analyzed in great depth or specifically quantified as part of the M&A due diligence process.
"Although most security teams feel strongly that the security posture of an acquired organization should be considered in an acquisition decision, it often does not play a significant role in the deal team's due diligence process," says Charles Carmakal, vice president and CTO of strategic services at Mandiant. "The reality is that security generally only plays a role during the acquisition if there's a significant breach. In that situation, the security team would evaluate if the asset is too toxic and has lost value."
Chad Holmes, chief services and operations officer at Optiv, adds that cybersecurity has risen in importance because many more companies are acquiring digital assets as part of their digital transformation initiatives. He cited a a study from Capgemini Consulting that finds 87% believe that digital transformation gives them a competitive advantage.
We talked with Carmakal and Holmes to develop this list of M&A security tips. For more information, check out the Mandiant study, "The Benefits of Cybersecurity Diligence in Mergers and Acquisitions."
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024