Connect with us

TECHNOLOGY

Maximising the cybersecurity of mergers and acquisitions

US law firm pioneers ‘Tech Transfer To-Go’ using PatSnap

By Stephen Gailey, Head of Solutions Architecture at Exabeam

A market worth well in in excess of $100 billion a year globally, cybersecurity has become one of the most urgent issues on the corporate agenda.  This is good news, and organisations are becoming better attuned to the threats they face and the controls on data and services they need to implement.  There remain, however, some serious gaps in the capabilities of businesses to deal with specific niche risks, one of the most dangerous being the vulnerabilities presented by merger and acquisition (M&A) activity.

Stephen Gailey

Stephen Gailey

It’s a complex process with many issues to contend with, the result being that during M&A activity, information security can fall by the wayside.  But, cybersecurity should be included from the due diligence stage, with undisclosed breaches the first danger to look out for, as they can harbour huge hidden liabilities, whether they have been discovered or not.

A good starting point is to look closely at the information and cyber security organisation of the business being acquired, because buying a company with poor security can be a huge headache.  The resultant problems of taking on a business with sub-optimal processes and controls can take years to remedy – a problem exacerbated for most organisations who do not allocate budget for closing serious security gaps immediately after a deal closes.

A case in point is Marriott’s now infamous acquisition of Starwood.  Marriott’s shares dropped almost 7% after the Starwood breach was uncovered, which forced a significant out-of-budget spend to address the problems inherited with the Starwood acquisition.  Adding insult to injury, a £99 million GDPR penalty was levied once the Information Commissioner’s Office (ICO) concluded its investigation.

Getting the foundations right 

There are huge benefits to be gained during M&A by enabling the security teams to get involved quickly to establish a solid foundation for the short and long-term future.  For instance, the businesses involved in a merger or acquisition can often have very different approaches to security – a successful deal needs a strong chief information security officer (CISO) to bring the two teams together and avoid infighting.

When the deal is finalised, the security team should be prioritised for integration first.  Failure to get this right can have a disproportionate impact on the success of the post-close consolidation project.  For example, poorly documented tools or processes can be made worse by the loss of critical people during the integration phase.  In particular, issues such as expiring certificates can halt a web-based business or prevent vital remote access.  Similarly, licensing can be a particular challenge as often there are break clauses in contracts.  But, negotiating with vendors can manage these situations, because bigger and more cost-effective deals are good for both sides.  It’s also wise to take the opportunity to look at alternatives.  Be particularly cautious about outsourcing, only a well-run organisation can be outsourced successfully, and a newly merged security organisation will take time to be made efficient and effective.

It’s also important to set the right tone for the wider organisation.  As soon as M&A talks become public until after the close, staff will be nervous, which creates some unfortunate security risks.  For example, developers might be tempted to take pieces of code to their next assignment, or if salespeople copy just a few key contacts from the customer database, small amounts of data loss add up.  This insider threat is very real – both from unwitting and malicious actors, who at the extreme end of the scale, can be a threat to systems, with countless examples of departing employees resorting to sabotage.

A cautionary tale

Irrespective of the circumstances, organisational integration can be problematic and risky.  My own personal experience might help to illustrate this point; prior to my current role, I led the integration of Lehman Brothers into Barclays.

On the first day I was greeted with an organisation that had stopped trading.  My company had acquired the US assets of the organisation and there was an expectation that someone else would acquire assets from other jurisdictions.  You might think that integrating a non-trading organisation would be simpler.  It’s not.  I remember standing in front of the Barclays Capital executive team at the end of the first week, explaining that I couldn’t stop ex-Lehman employees from stealing or deleting data.  I could, however, stop them from accessing Barclays data and instead we should consider the Lehman network toxic.  It rather stunned them, but they understood what I was saying.

This allowed us to put plans into action quickly.  Within a week we had isolated users into three groups: those who had accepted an employment offer, those who had yet to accept an offer and those who would not be receiving an offer.  We had the bank trading again and using the Barclays settlement systems and were able to move at speed, primarily because people were involved on both sides of the deal.  This story underlines the point that winning the hearts and minds of a demoralised acquired target is key to a successful integration phase.  Equally important is the issue of early integration, which is key to long-term success.  The longer an organisation remains autonomous, the harder it will be to realise those M&A drivers.

The bottom line is that M&A can be a tricky process to get right, especially when you add the complexities of cybersecurity into the mix.  It only takes one slip for something to go wrong and a breach to occur, so due diligence from the very start is critical.  A strong CISO with a clear plan can make all the difference – they should be involved from the outset in any M&A process.

Continue Reading

Recent Posts

The lockdown money revolution 29 The lockdown money revolution 30
FINANCE5 days ago

The lockdown money revolution

By Granville Turner, Director at Turner Little. Many Brits have found that lockdown has been beneficial for their money, having...

Self-employed taxpayers and Making Tax Digital 31 Self-employed taxpayers and Making Tax Digital 32
BUSINESS5 days ago

Self-employed taxpayers and Making Tax Digital

By John Hemming, CEO of Cirrostratus Exedra, the company that runs the VAT Direct Making Tax Digital Service The HMRC’s ambition...

Auditor regulation and litigation - down to the Wire(card)? 33 Auditor regulation and litigation - down to the Wire(card)? 34
BANKING6 days ago

Auditor regulation and litigation – down to the Wire(card)?

By Tom Snelling, partner at Signature Litigation and David Entwistle, a regulatory lawyer and legal risk specialist Introduction The collapse...

Why it’s time to adapt to the virtual world: how to master online negotiations 35 Why it’s time to adapt to the virtual world: how to master online negotiations 36
TECHNOLOGY6 days ago

Why it’s time to adapt to the virtual world: how to master online negotiations

By Tony Hughes, CEO at Huthwaite International, a leading global provider of sales, negotiation and communication skills development Virtual negotiations...

Protecting against man in the middle attacks with dynamic linking 37 Protecting against man in the middle attacks with dynamic linking 38
FINANCE2 weeks ago

Protecting against man in the middle attacks with dynamic linking

By David Vergara, Senior Director of Product Marketing at OneSpan In recent years, the booming growth of mobile applications has...

The Case for Banks to Digitally Transform: Iterating out of lockdown 39 The Case for Banks to Digitally Transform: Iterating out of lockdown 40
BANKING2 weeks ago

The Case for Banks to Digitally Transform: Iterating out of lockdown

By Sudeepto Mukherjee, Senior VP, Banking EMEA & APAC, Publicis Sapient. Before COVID-19 disrupted every imaginable part of society, banks...

Difficulties of Getting on the Property Ladder Post-Pandemic 41 Difficulties of Getting on the Property Ladder Post-Pandemic 42
LIFESTYLE2 weeks ago

Difficulties of Getting on the Property Ladder Post-Pandemic

There is a lot of talk about what’s going to happen to the housing market over the next few months....

Russian Doll: Building digital capabilities into a bank’s core 43 Russian Doll: Building digital capabilities into a bank’s core 44
BANKING2 weeks ago

Russian Doll: Building digital capabilities into a bank’s core

By Ian Johnson, Managing Director of Europe, Marqeta COVID-19 has left its mark on every industry, and banking is no...

How the US and Europe's COVID-19 Responses Have Affected Exchange Rates 45 How the US and Europe's COVID-19 Responses Have Affected Exchange Rates 46
TRADING2 weeks ago

How the US and Europe’s COVID-19 Responses Have Affected Exchange Rates

In living memory, few events have thrown the reputations of different countries and regions under such intense scrutiny as the...

Recognising the surprise PE investment potential in southern Africa 47 Recognising the surprise PE investment potential in southern Africa 48
INVESTING2 weeks ago

Recognising the surprise PE investment potential in southern Africa

By Martin Soderberg, partner at SPEAR Capital. An event of historic significance passed largely unnoticed in the world’s media recently,...

Why Banking is experiencing a second wave of transformation 49 Why Banking is experiencing a second wave of transformation 50
BANKING2 weeks ago

Why Banking is experiencing a second wave of transformation

By Keith Pearson, Head of Financial Services EMEA, ServiceNow The financial landscape has seen significant changes in the last six...

Making your mark: an introduction to trademarks 51 Making your mark: an introduction to trademarks 52
TRADING2 weeks ago

Making your mark: an introduction to trademarks

By James Turner, Director at  Turner Little  Are you looking to protect your brand? The chances are, you are –...