Security in Mergers and Acquisitions
Corporate information security is now ubiquitous with organisations increasingly attuned to the threats they face and the controls on data and services they need to employ. There is, however, one aspect of corporate activity where security can often be overlooked and when an organisation can be at its most vulnerable – during mergers and acquisitions (M&A).
With Brexit uncertainty now behind us, many companies will be rethinking their M&A strategy. Indeed, a recent sentiment report suggests – for European companies at least – many companies will be more attractive post-Brexit. In addition, the report shows 42% of M&A and Capital Market professionals anticipate M&A volume growth in 2020, with an average predicted growth rate of +4.7%. For those organisations looking to capitalise on a more active market, identifying vulnerabilities and cyber risks in target acquisitions is vital. The cost of poor M&A security is higher than ever.
The cost of conversation
Any organisation that has been through a merger or an acquisition, either as the acquirer or the acquired, knows the dangers. Additional public scrutiny means that any false move is more likely than normal to impact share price. Egos on both sides of the negotiation can easily drive deals beyond good sense and can damage, rather than increase, shareholder value.
On top of this, all the time the board is distracted, competitors can be stealing research and development (R&D) or even poaching talent from within the organisation when people become fearful about their future job security.
With many other issues to contend with during M&A activity, one aspect that can sometimes be neglected is information security. This starts early on in the process during the due diligence stage. Undisclosed breaches are the first big risk to look out for. An organisation that knowingly or unknowingly has suffered a significant security breach can harbour huge hidden liabilities. Being in the spotlight may also make both sides of the deal more of a target, so it is a time for heightened vigilance.
Quantifying the unknown
A key aspect of the due diligence process is to look closely at the information and cyber security organisation of the target. Acquiring a company with poor security processes and controls can be a significant burden. It can often take years to remedy and given that cost saving is often a driver for a merger, most organisations do not allocate budget to revamping security after a deal closes. You only have to look at Marriott’s acquisition of Starwood to see the impact of a breach on a newly acquired business unit. Marriott’s shares dropped almost seven per cent after the Starwood hack and forced a significant out-of-budget spend to address the endemic problems highlighted. And in March 2020 Marriott announced another major breach. While still significant, 5.2 million compromised guests is a drastic reduction from almost half a billion the last time this organisation identified an attack. Despite this improvement – if we can call it that – whether the organisation did enough to shore up its security posture after the last breach will certainly be called into question. The reputational impact on the Marriott brand is more difficult to quantify, but likely much more substantial. With new General Data Protection Regulation (GDPR) rules threatening eye-watering fines, this situation is only going to get worse.
Leadership is key
During M&A activity there are often very different approaches to security, with different teams in separate organisations. A successful deal needs a strong CISO to bring the two teams together and avoid infighting. Poorly documented tools or processes can also suffer at the loss of critical people during the integration phase. In particular, things like expiring certificates can halt a web-based business or prevent vital remote access. The security team should be prioritised for integration first. Failure to get this right can have a disproportional impact on the success of the post-close consolidation project.
Another thing to consider, from the point that the M&A talks become public until after the close, staff will be nervous. Nervous employees are far more likely to steal corporate data. From developers taking pieces of code to their next assignment, to salespeople siphoning just a few key contacts from their customer database, small amounts of data loss add up. As a whole, this becomes a significant challenge. The insider threat is very real – both from unwitting and malicious actors. Disgruntled employees are also likely to be a threat to systems and there are countless examples where a departing employee has perpetrated sabotage.
A tale of risky business
Regardless of the maturity of the acquired organisation, merging the two can be risky. Prior to joining Exabeam, I led the integration of Lehman Brothers into Barclays. On the first day I was greeted with an organisation that had stopped trading. My company had acquired the US assets of the organisation and there was an expectation that someone else would acquire assets from other jurisdictions. You might think that integrating a non-trading organisation would be simpler. It’s not. I remember standing in front of the Barclays Capital executive team at the end of the first week, explaining that I couldn’t stop ex-Lehman employees from stealing or deleting data. I could, however, stop them from accessing Barclays data and instead consider the Lehman network toxic. It rather stunned them, but they understood what I was saying.
This story is important, as it allowed us to get things in motion quickly. Within a week we had isolated users into three groups: those who had accepted an offer, those who had yet to accept an offer and those who would not be receiving an offer. We had the bank trading again and using the Barclays settlement systems and were able to move at speed, primarily because people were involved on both sides of the deal. Winning the hearts and minds of a demoralised acquired target is key to a successful integration phase. An early integration is key to long-term success. The longer an organisation remains autonomous, the harder it will be to realise those M&A drivers.
as a cost driver
It is possible to achieve real cost savings from M&A and security is not the least of those areas. This does not require significant redundancies; instead huge efficiency improvements can be achieved by aligning security strategies and approaches across two organisations.
Licensing can be a real challenge in M&A as often there are break clauses in contracts. Vendor negotiations can handle these situations and bigger and more cost-effective deals are good for both sides – though don’t rush into these too quickly. It’s always wise to look at the alternatives. Be particularly cautious about outsourcing, only a well-run organisation can be outsourced successfully, and a newly merged security organisation will take time to be made efficient and effective.
Success in adversity
M&A can be a tricky thing to get right – it’s a balancing act of differing business cultures, integrating new technologies, and ensuring security is intact. It only takes one slip for something to go wrong and a breach to occur, so due diligence from the very start is critical. During M&As there’s a lot to juggle, but it’s important that cybersecurity remains front of mind and the inherent risks are not overlooked. A strong CISO with a clear plan can make all the difference and they should certainly be involved from the outset in any M&A plans. Nonetheless, done correctly M&As can add real value and bring an organisation to new heights.
Stephen is an experienced Information Security Manager used to working in highly regulated environments, dealing with compliance and legislative challenges from multiple jurisdictions. Much of Stephen’s career has been spent in financial services; primarily investment banking but also in retail banking, telecoms, utilities and insurance business environments.
Stephen is currently Head of Solutions Architecture at the Smarter SIEM company, Exabeam. He joined Exabeam from Splunk, where he ran the Financial Services practice and the EMEA Security Practice. Prior to Splunk, Stephen spent seven years at Barclays where he was the Group Head of Information Security Services. At Barclays, his team built what was probably the largest SIEM in the commercial world and delivered some of the largest programmes around privilege access management and data governance and control, as well as many other projects. He was also instrumental in the rapid integration of Lehman Brothers and in helping the bank unify its security organisation across several distinct business units.
Steven’s other key achievements include: creating and running the Deutsche Bank Global Internet Services team; helping Eircom to create a formalised IT governance structure based upon international standards and developing a major e-commerce and trading platform for Standard Bank Offshore.