A robust security posture should be a strategic goal regardless of the size and nature of a business. However, there are certain stages in a company’s life when they are particularly vulnerable. 

For example, high-growth startups often double down on their IT security measures just before raising funding. Similarly, enterprises take data security risks more seriously whenever new regulations are legislated.

The stage where organizations are probably at the highest risk of security breaches is during and after mergers and acquisitions. M&As are notoriously tricky for all departments, but they create a new level of complexity for cybersecurity. According to an IBM survey, 33% of executives experienced data breaches due to M&A activity. 

Inheriting Bigger Attack Surface

In mergers and acquisitions, organizations inherit not just assets and expertise but also risks. New tools, procedures, and personnel increase the risk of cybersecurity threats and data leaks. This is especially critical when acquiring new cloud/on-prem environments. 

M&As also expand user data repositories, which means organizations might also become liable to new data security regulations. For example, if the M&A target has data of European users, then the acquiring organization needs to ensure GDPR compliance. 

Additionally, malicious actors are aware that organizations both during and after M&A have a higher risk of a data breach. They also know that data breaches can affect the acquisition value, making such organizations more prone to cybersecurity attacks. For example, Uber famously paid $100,000 to hackers to hide its data breach during negotiations with SoftBank, a decision later regretted by their CEO.   

New call-to-action

Security Shouldn’t Be an Afterthought

In most M&As, the focus is on value creation, causing security to take a backseat. Many organizations perform a comprehensive security assessment towards the end of the M&A process rather than its beginning.

There are several benefits to factoring in security early on in the acquisition process:

  • M&A target’s security posture will help evaluate deal value. For example, if you know that post-acquisition, you’ll need to spend money on getting the proper certifications, compliances, training, and tools, you can factor that cost into the purchase. 
  • Undisclosed data breaches can jeopardize acquisitions. According to a report by Forescout, 73% of respondents feel that companies with an undisclosed data breach are an immediate deal-breaker in M&A strategy. 
  • A strong security posture is an excellent reflection of a company’s commitment to serving its customers. It indicates that the company’s development operations have reached a certain level of maturity. This can be vital information while screening targets for M&A. 
  • It’s cheaper. During the integration stage, implementing recommendations from the assessment can require painful restructuring. On the other hand, thinking about security early in the M&A process lets you structure the M&A around cybersecurity best practices. 

Security is never a single step in the process. By crafting the entire M&A process with a security mindset, organizations can reduce cost and reputational risk. 

Unavoidable Tactical Vulnerabilities

Despite everyone’s best efforts, due to the sheer scope of M&A projects, there will be some unforeseen security vulnerabilities post-integration. By focusing on cybersecurity, organizations can nip these vulnerabilities in the bud before they cause massive problems.

For example, after a merger, one of our clients realized that there were various legacy systems in their cloud environment without any purpose. These systems were not only draining resources but also increasing their threat surface. Additionally, a debug dump could reveal critical passwords that should have been locked down. By being cautious about post-integration security issues, they were able to avoid a major breach.

There are various ways to uncover such issues, such as threat modeling, which involves understanding cybersecurity vulnerabilities by identifying system entry points and reducing the likelihood of breaches. Various threat models such as PASTA, VAST, and STRIDE help you look at your security posture from the POV of the attacker, organization, and engineer, respectively.

Security Assessment Process An Overview of Security Assessment Process

Occasionally, proactively looking for tactical vulnerabilities can also provide immediate cost savings. The same client discovered that they had accidentally spun 6 ML EC2 instances after the merger, each running at $30 an hour. By simply switching off redundant instances, they saved $4000 a day. 

Fostering a Strong Security Culture

Every organization has an implicit culture that defines its approach to various strategic challenges. Cybersecurity is no different. An organization’s mindset, policies, and attitude towards its security posture are often referred to as its security culture. 

It’s highly unlikely that the participants in an M&A will share the same security culture. Therefore, it becomes critical to not just fix tactical vulnerabilities but also create systems to avoid similar issues in the future. 

M&As offer the perfect opportunity to ask strategic questions about the organization’s approach to its cybersecurity. What is the level of security and data privacy that needs to be achieved? Are there gaps in knowledge post-acquisition? Who is responsible for spearheading security-related initiatives? Such fundamental questions help you ensure that the entire team shares the same security culture. 

Third-Party Partners

When it comes to data security, M&As don’t involve just two teams but also their partners. Organizations often share user data with third-party services to better serve their customers. 

Therefore, it becomes essential to understand how the M&A target and their partners collect, process, and store user information. A Statista report stated that by 2022, General Data Protection regulation would increase acquirers’ scrutiny of the data protection policies and processes of target companies.

Statista GDPR Report GDPR has increased the scrutiny of M&A target’s data protection policies. 

With new regulations and more stringent penalties on the horizon, data protection will continue to play a pivotal role in acquisitions. This would reinforce the importance of a robust cybersecurity posture in successful M&As. 

As an official partner of leading technology companies like AWS, Atlassian, and GitHub, Modus Create has helped a wide range of companies upgrade their security posture. You can learn more about Modus Create’s work with Security here. 

Posted in
Share this

Shiv Sharma

Shiv Sharma writes extensively about digital transformation, emerging technologies, change management, and open-source culture.
Follow

Related Posts