Managing Security Risk in Mergers & Acquisitions

Every year, companies spend billions of dollars on mergers and acquisitions. (The value of worldwide M&A deals in 2014 totaled $3.5 trillion.) Managing risk throughout the process is an important element of any merger, but there's one area of risk management that hasn't had the attention it deserves.

The information security risk that a given company presents has been an often-overlooked element during the M&A process. However, that appears to be changing, and there are plenty of good reasons for the about-face in the evaluation of information security performance.

Last year, the Department of Homeland Security disclosed that a "critical American manufacturing company had been infiltrated by 'multiple, sophisticated threat actors over a period of several months' using the networks of companies it had acquired in recent years."

Fin4 is a hacker group that reportedly steals insider information to profit off of stocks just before mergers & acquisitions. The attackers, "use Wall Street language to convince industry professionals that its communications are legitimate."

Here are a few tips companies can follow to improve their information security due diligence efforts during an M&A deal.

  1. Configuration comes first. Before delving into network issues, verify that the organization is following basic configuration hygiene: Does the potential acquisition have a properly configured SPF record? Do their domains have valid SSL certificates? Are they vulnerable to the Heartbleed bug? These important questions can reveal basic problems that may indicate much bigger issues under the surface.

  2. Test & assess the network. Evaluate policies, procedures and technology to determine how seriously the target company has taken data security. Know where the company holds valuable information and how they are protecting it. What protections are in place to defend against an attack? What have they done to prevent future incidents? What is lurking in their network today? What level of risk has been outsourced and what are they insured against?

  3. Look at past performance. Is the company more or less secure than it was this time last year? What factors are impacting effectiveness and can it be improved? The addition of historical performance data, as well as information about specific threats, incident response times and configuration details can provide context for the acquiring company about the overall security health of the organization.

  4. Compare against peers. When looking at a potential acquisition, what can their industry and peers tell you about their general security performance? For one, it can immediately demonstrate whether they are above or below the average of similar companies when it comes to security. But perhaps even more importantly, looking at what common infections affect an industry or how long it takes peers to respond to security events can raise an important question: What security challenges face the potential acquisition and will we need to invest significant time and resources to bring them up to a reasonable level of security performance?

  5. Don't stop with the network in front of you. Look at third party partners, suppliers, vendors and more. Because companies are only as secure as their respective weakest links, M&A teams need to extend their diligence into third party networks. In an acquisition, some relationships may be carried over and teams need to be sure that this component is not overlooked. It may take additional time and resources, but it's worth the extra effort to make sure you aren't buying into the next breached company.

How Some Companies are Already Managing Security Risk in Mergers & Acquisitions

Strategic Mergers & Acquisitions can fuel the growth of your company, and Security Ratings can help you scale your information security accordingly. Learn more about how security ratings can fit into Mergers & Acquisitions due diligence.