By Stephen Gailey, Head of Solutions Architecture at Exabeam

A market worth well in in excess of $100 billion a year globally, cybersecurity has become one of the most urgent issues on the corporate agenda.  This is good news, and organisations are becoming better attuned to the threats they face and the controls on data and services they need to implement.  There remain, however, some serious gaps in the capabilities of businesses to deal with specific niche risks, one of the most dangerous being the vulnerabilities presented by merger and acquisition (M&A) activity.

Stephen Gailey

It’s a complex process with many issues to contend with, the result being that during M&A activity, information security can fall by the wayside.  But, cybersecurity should be included from the due diligence stage, with undisclosed breaches the first danger to look out for, as they can harbour huge hidden liabilities, whether they have been discovered or not.

A good starting point is to look closely at the information and cyber security organisation of the business being acquired, because buying a company with poor security can be a huge headache.  The resultant problems of taking on a business with sub-optimal processes and controls can take years to remedy – a problem exacerbated for most organisations who do not allocate budget for closing serious security gaps immediately after a deal closes.

A case in point is Marriott’s now infamous acquisition of Starwood.  Marriott’s shares dropped almost 7% after the Starwood breach was uncovered, which forced a significant out-of-budget spend to address the problems inherited with the Starwood acquisition.  Adding insult to injury, a £99 million GDPR penalty was levied once the Information Commissioner’s Office (ICO) concluded its investigation.

Getting the foundations right 

There are huge benefits to be gained during M&A by enabling the security teams to get involved quickly to establish a solid foundation for the short and long-term future.  For instance, the businesses involved in a merger or acquisition can often have very different approaches to security – a successful deal needs a strong chief information security officer (CISO) to bring the two teams together and avoid infighting.

When the deal is finalised, the security team should be prioritised for integration first.  Failure to get this right can have a disproportionate impact on the success of the post-close consolidation project.  For example, poorly documented tools or processes can be made worse by the loss of critical people during the integration phase.  In particular, issues such as expiring certificates can halt a web-based business or prevent vital remote access.  Similarly, licensing can be a particular challenge as often there are break clauses in contracts.  But, negotiating with vendors can manage these situations, because bigger and more cost-effective deals are good for both sides.  It’s also wise to take the opportunity to look at alternatives.  Be particularly cautious about outsourcing, only a well-run organisation can be outsourced successfully, and a newly merged security organisation will take time to be made efficient and effective.

It’s also important to set the right tone for the wider organisation.  As soon as M&A talks become public until after the close, staff will be nervous, which creates some unfortunate security risks.  For example, developers might be tempted to take pieces of code to their next assignment, or if salespeople copy just a few key contacts from the customer database, small amounts of data loss add up.  This insider threat is very real – both from unwitting and malicious actors, who at the extreme end of the scale, can be a threat to systems, with countless examples of departing employees resorting to sabotage.

A cautionary tale

Irrespective of the circumstances, organisational integration can be problematic and risky.  My own personal experience might help to illustrate this point; prior to my current role, I led the integration of Lehman Brothers into Barclays.

On the first day I was greeted with an organisation that had stopped trading.  My company had acquired the US assets of the organisation and there was an expectation that someone else would acquire assets from other jurisdictions.  You might think that integrating a non-trading organisation would be simpler.  It’s not.  I remember standing in front of the Barclays Capital executive team at the end of the first week, explaining that I couldn’t stop ex-Lehman employees from stealing or deleting data.  I could, however, stop them from accessing Barclays data and instead we should consider the Lehman network toxic.  It rather stunned them, but they understood what I was saying.

This allowed us to put plans into action quickly.  Within a week we had isolated users into three groups: those who had accepted an employment offer, those who had yet to accept an offer and those who would not be receiving an offer.  We had the bank trading again and using the Barclays settlement systems and were able to move at speed, primarily because people were involved on both sides of the deal.  This story underlines the point that winning the hearts and minds of a demoralised acquired target is key to a successful integration phase.  Equally important is the issue of early integration, which is key to long-term success.  The longer an organisation remains autonomous, the harder it will be to realise those M&A drivers.

The bottom line is that M&A can be a tricky process to get right, especially when you add the complexities of cybersecurity into the mix.  It only takes one slip for something to go wrong and a breach to occur, so due diligence from the very start is critical.  A strong CISO with a clear plan can make all the difference – they should be involved from the outset in any M&A process.