Home Organization Three steps to secure an organization during mergers and acquisitions

Three steps to secure an organization during mergers and acquisitions


Since 2000, more than 790,000 merger and acquisition (M&A) deals have been announced worldwide, representing a value of more than $57 trillion. While these expansions and transitions create great business opportunities, they also present unique risk with the potential for exposed undetected vulnerabilities that are being exploited by threat actors as organizations come together.

Simply put, as the new business grows, so does the threat landscape and hacker attention to that business, which means you need to be prepared!

Impact of cybersecurity reviews

To combat the risk associated with these volatile transformations, organizations are now performing cybersecurity due diligence and threat intelligence early in the M&A process. This greatly reduces the chances of threats becoming reality once deals are made and systems are merged.

The review process should never be overlooked as it could have fatal consequences. In 2016, for example, Verizon was to acquire Yahoo! in a deal worth $4.8 billion. However, after entering into the acquisition agreement, Verizon discovered two major data breaches at Yahoo!. In response, Yahoo! awarded a discount of $350 million for the transaction – and they had to pay $80 million to settle its shareholder lawsuits. This is just one example of how costly insufficient or no cybersecurity due diligence before day 1 of an acquisition is.

How can organizations create a playbook for ensuring strong cybersecurity during mergers and acquisitions?

1. Assess cybersecurity posture

Before the deal is publicly announced, organizations should assess the cybersecurity situation to ensure full transparency of each company’s cyber processes and assets, and then identify potential security vulnerabilities. Often it is not possible to quickly identify the business to be acquired because they are always separate entities, which is why companies use threat intelligence to support this activity.

This threat-centric approach is critical when done early in the M&A process to identify where these vulnerabilities and gaps lie before moving to the next stage of business transactions. A common approach to developing a cybersecurity baseline is to use NIST Cybersecurity Framework. This industry-recognized framework aims to provide a clearer understanding of managing and mitigating security vulnerabilities, as well as providing best practices for protecting networks and data.

2. Align operating models and identify critical risks

Once the deal is announced, also known as Day 1, the second stage of the merger begins, and organizations must identify and assess their current operating models. This alignment is essential to ensure that the new business is well prepared and fit for purpose. Synergies, redundancies, priority programs and critical risks are identified.

After day one, security professionals will make sure to find any security vulnerabilities or exposures and work to fix them. Next, organizations should perform a security maturity diagnostic to re-examine the effectiveness of operations. Next, threat detection and response diagnostic tests will examine the technology used by the business and security team. This assurance goal is essential after day one to assess and prepare the new company.

3. Insurance of the new company

The final step is to transition and integrate the new company into the acquiring company’s operating model and the key being the alignment and transition to their MDR/MSS solution. In addition to this, the organization should develop incident response plans and conduct table-top exercises with the new company’s leadership and board of directors to test operational effectiveness and build collaboration and understanding.

Finally, organizations should remember to audit the supply chain of the acquisition target to create a final additional cybersecurity baseline of their high-risk vendors. Finding these vulnerabilities and assessing vendors on cyber capabilities and processes often requires the support of technology to provide visibility.

Maintain security over the long term

As cybercrime has reached an all-time high during the pandemic, Mergers and Acquisitions continue to be high-risk ventures that cost billions of dollars and damage corporate reputations. Long-term efforts to prevent and secure this process are worth the extra steps to mitigate future security issues.

When combining two companies’ security processes, many parts go unconsolidated, leaving undetected vulnerabilities exposed, so the collaboration should begin before Day 1 to better prepare both companies. With early due diligence, risks are reduced and security professionals have better visibility into both companies. Implementing this three-step method will combat the risks associated with these sensitive times and set the new business up for success in the future.