What to expect when you're expecting (Mergers and Acquisitions)
Updated: May 15, 2018
Having been on both ends of Mergers and Acquisitions, I'd like to share a few anecdotes and learnings that I have picked up throughout what can be a compressed timeframe and high pressure activity.
At the outset of this type of activity, most organisations understand the need to protect the sensitive information of all parties as well as be able to trust in the integrity of information being gathered, exchanged or assessed. Anyone who has purchased a used car however, knows that everything that glitters is not always gold.
Lets start with a big question, has customer data been exposed or compromised?
This is an important question as this could have a profound impact on the asset / brand value, customer goodwill, 3rd party liability, legal and regulatory issues, insurance headaches, remediation costs (and time) just to name a few.
So how would we know? Well, in some cases a quick Google search can reveal a multitude of sins, but for a deeper dive, a combination of Open Source Intelligence (OSINT) and examination of Security Assessment Audits and Reports (Penetration Testing, Vulnerability Assessments) as well as Information Security and Technology Incident and Risk Registers.
Other good indicators of the security health of an organisation could include:
The presence of a skilled security leader (CISO, Security Manager), evidence of management support for security and the attrition rate of security personnel (high turnover may indicate a security counter culture)
Examination of Policies and Standards (with particular attention to Vulnerability and Patch Management, Access Control, Security Monitoring and Incident Response)
Examination of Security Education and Awareness Programmes to determine whether the organisation is following a primarily Compliance Based or Risk Based approach to managing security.
Evidence of compliance to standards such as 27001 or PCI DSS, noting however that the latter (security measures in PCI DSS) may relate only to the systems and processes which relate to credit card data.
As it can sometimes be impractical (or impossible) to perform independent comprehensive assessment, ultimately, an acquirer should consider utilising a 'trust but verify' approach when assessing risk, and confirm that the security personnel involved stand behind information provided.
Increased media attention associated with M&A activity can also, unfortunately mean that an organisation suddenly appears on the radar of cyber attackers and other criminals. This, in addition to the naturally new threat model (assuming the M&A proceeds) means that many controls which may have been adequate for the acquired organisation, may need to change as a result of changes in the threat / risk profile.
As a result we should (in addition to the current or transitional risk profile) consider what the new risk profile may need to include..
Another question is, who is the organisation doing business with, and are they at risk of compromise?
The following can assist in getting a better understanding of what supply chain and 3rd party risks may be present:
Identification of key vendor and partner relationships, and OSINT analysis of these organisations (i.e. if their data has been shared with, or exposed to a 3rd party with questionable security, then this could be a source of compromise)
Examination of commercial contracts and agreements with attention to security clauses, as well as the governance processes around how these are assessed and maintained (e.g. never done, only once at the beginning of a relationship, or ongoing and regularly updated etc.)
Other, more subjective questions centre around Size and Complexity, the logic being that it is harder to secure a larger, complex environment.
When an organisation has obtained every conceivable security product, but value for these is not truly/adequately realised (benefits realisation evidence on security, compliance and risk management projects is often a dead giveaway), I often recall two phrases (one which was applied to myself when learning to play golf):
"All the gear but no idea."
"A fool with a tool is still a fool"
A great indicator here is to obtain a list of security controls, the perceived organisational value, the cost of the control as well as the projected ROI and lifespan of the control. Armed with this information, correlate these against the risk register to determine (based on the perceived rating (or value) of each risk) are there risks which:
Are uncontrolled (Have no control(s) against them, or controls deemed ineffective).
Are excessive (i.e. the cost of the control massively outweighs the risk)
Are inadequate (i.e. the control does not actually reduce the risk)
Conversely, are there controls in place (could also be referred to as the "Vendor Lunch" originated controls) for which no risk actually exists.
If you would like to have technology independent security experience to support your next M & A activity, contact us
Author: Clinton Smith