How to manage the cyber risks involved in M&A

Global mergers and acquisitions show no sign of slowing down. In the first half of 2017, deals worth  $678.5 billion took place, up nearly 9 percent from the same period last year. Mega-deals over $10 billion in value reached record heights and total deal values are their best since the financial crisis in 2008. This is good news for dealmakers, of course.    

Yet many M&A deals fail to live up to their promise with organisations struggling to manage the cultural and technological challenges associated with these deals. The landscape is littered with unsuccessful mergers and acquisitions, companies that did not heed obvious risks that, in retrospect, were avoidable. Rather, dealmakers focused on the benefits of the transaction, such as prospects for a larger market share, competitive advantages, reduced costs, increased efficiencies, and more diversified products and services.  

While the opportunities need to be forefront of any deal, organisations need to also focus on the potential risks if they want to realise these opportunities. One such risk is the threat of cyber attacks. Once a deal closes and the two companies begin to integrate their operations and systems, their cyber risks increase—dramatically in many cases. Indeed, the integration phase is when the “crown jewels” of both parties are most vulnerable to a cyber attack.   

Enabling data flow opens up endpoints 

As the buyer and the seller commence the process of combining hundreds of systems and applications, their respective data at the intersection points of the transfer are exposed to an attack. The reason is the need to temporarily remove the filters at these endpoints so data can flow from one system to another. A gaping security hole is pried open, one that hackers can easily exploit.   

Once inside the network, hackers can access sensitive, proprietary data about each entity’s operations, financial status and future plans. This data can be leveraged to extort a ransom from the combined company—if it doesn't pay up, the confidential information will be leaked to competitors and the public, damaging the reputation of the business and potentially derailing the merger’s hoped-for benefits. 

Cyber threats abound across the M&A post-transaction integration terrain. It’s likely that each entity will have different IT policies, cyber security standards and controls, and different procedures with regard to how it collects, uses, transmits, stores, and shares personal information and other categories of data. These differences make it difficult to ensure proper steps are taken to integrate the companies’ systems and applications, increasing the combined organisation’s vulnerability to a cyber attack.    

Mitigating employee and partner vulnerabilities 

A related threat is the possibility that employees from the company with weaker cyber security standards and controls may do risky things that the other company’s employees are explicitly forbidden to do—like open an attachment in an email that looks suspicious. Phishing attacks tend to increase during the systems integration phase of a merger or acquisitions because hackers are aware that each party will be using its current email system until they’re integrated. Hackers realise that it’s difficult for an employee at former Company A to discern if an email with an attachment from a senior executive at former Company B is the real thing, making them more likely to click on an infected attachment. 

Cybersecurity education is crucial at all companies, and not just when systems are vulnerable. Prior to an acquisition, employees need to know what is expected of them and most importantly how to ensure they aren’t the weakest link in the security chain. Merging two companies, both culturally and technologically, is challenging enough without adding a potential breach to the mix. 

Another post-transaction cyber risk is the cyber security standards of third party vendors. Often, the buyer will retain an IT consulting firm to assist with the systems integration. Since the firm will be inside the corporate perimeter, it’s critical that its cyber security policies and procedures are as robust, if not more so, that the organisation itself. Otherwise, the firm can be an entry point for hackers to access both transacting parties’ data, as the massive breach of Target underscored. The entry point for the hackers was the retailer’s third party heating, ventilation and air-conditioning vendor.       

The scale of cloud 

Yet another risk has to do with the sheer number of IT systems and cloud applications in use by companies today, making the process of integration more complicated. These days it’s not uncommon for a company to have inked partnerships with more than a hundred different cloud providers. When two organisations combine, integrating all the applications, systems and other sources of data consumes an inordinate amount of time. It now takes longer for the combined organisation to realise the perceived benefits of the transaction, increasing the opportunity for competitors to seize market share.

Obviously, there is a need for data integrations to occur quickly and seamlessly, minimising the time in which the oceans of data flow from one system to another, from one application to another. Many companies are still struggling to integrate the data they hold within various systems in one company so when two are involved, they need to take a very process-driven approach to not only ensure that security isn’t compromised but also that the most can be made from the data.   

Best practices include identifying all the data assets that need to be transferred first, and then determining the specific data standards, policies and processes that will be used to conduct the transfer. Rather than transferring all the data at once, consider a piecemeal approach in which different data sets are prioritised for transfer at different times. Data that is not destined for transfer should be immediately destroyed.   

Lastly, invest in integration tools that make it fast and easy to connect applications and different sources of data. Legacy technology requiring teams of developers to handcraft integration software on an as-needed basis is no way to address today’s rapidly expanding universe of cloud applications. As the Internet of Things (IoT) takes off, integrating all the Big Data that will emerge requires a much faster solution.    Companies undergoing a merger or acquisition need to find a fast and easy way to integrate data and applications. They need a single platform that users can rapidly connect diverse systems and applications at their vulnerable intersection points, narrowing the window of opportunity for hackers to attack.   

Those undertaking a merger have enough to manage in order to turn the transaction into a success without having to also manage a data breach. By ensuring data transfers are closely managed so they can flow at enterprise speed, the pace of post-transaction integrations is accelerated. In turn, this assists dealmakers to realise the perceived value of the merger or acquisition at a much quicker rate—adding up into a rare win, win, win. 

Diletta D’Onofrio, Head of Digital Transformation at SnapLogic 

Image Credit: NakoPhotography / Shutterstock