Do your homework.
The age-old mandate has newfound relevance for CISOs, given the intense pace of mergers and acquisitions (M&A) and escalating cybersecurity risks.
Global business consolidation activity is strong. The number of deals (and the combined value of those transactions) through the first three quarters of 2021 surpassed the number of deals (and the combined value of those transactions) during the same period in each of the past three years, according to S&P Global.
CISOs in highly acquisitive companies have an obligation to provide cybersecurity risk insights throughout the M&A lifecycle. Generally, CISOs should be poised to contribute to pre-close, close and post-close processes to help uncover any potential cybersecurity risks associated with the acquisition.
A general best practice for CISOs to become prepared is to understand their M&A role, know what aspects of a prospective merger or acquisition are most important to assess, and discern any common pitfalls uncovered during the M&A process.
Know your role
The CISO’s contributions to M&A endeavors vary by industry and organization. Within acquisitive companies with mature information security programs, CISOs may serve key roles by identifying existing cybersecurity risks, understanding any potential compromises to the acquired company’s intellectual property (IP) and identifying opportunities to build upon existing cyber risk management practices. When financial due diligence is underway with an acquisition target, the CISO may be enlisted to provide comprehensive due diligence and confirm the current cyber governance of the prospective acquisition.
Due diligence typically involves the CISO conducting an information security assessment of potential technology-related synergies, identifying relevant security and compliance risks, and beginning to develop a business plan for mitigating those risks (ideally one that includes time and cost estimates of the remediation). These assessments may include reviews of access controls, incident response processes, regulatory compliance processes and other foundational components of the information security program. The most important security risks identified during the pre-close assessment should be logged in dashboards of open risks that the M&A team will manage and monitor throughout most of the M&A lifecycle.
The teams assigned to perform this due diligence also tend to assess a target organization’s “technical debt,” which is the cost and magnitude of additional rework caused by choosing technology solutions that are less complicated to implement over the short term instead of the best overall solution for the long term. As an organization makes these decisions, and as technology continues to evolve, the cumulative effect of layers upon layers of code and architectural approaches can result in an amount of technical debt that stifles the company’s ability to innovate and compete.” In some cases, technical debt can accrue due to an organization implementing the best solutions available to enable cyber risk management at a moment in time.
Even modest technical debt can pose cybersecurity risks. When that debt creeps too high, it may reduce the deal’s overall value adding to the post-acquisition integration time and costs. That’s why leading CISOs invest the time and expertise needed to assign dollar values to technical debt and other M&A-related information security risks through a Cyber Risk Quantification (CRQ) model or similar methodology.
As CISOs continue to expand and refine their M&A role, we’ve recently observed several activities emerge as priorities, including a growing push to quantify a deal’s information security risks in dollar terms. This math covers the risk exposure, including potential losses related to data breaches and/or compliance violations, as well as the cost of fixing those issues. Other recent changes to the CISO’s M&A role include increased collaboration with business partners from other functions (e.g., compliance, HR and internal audit) and a focus on regulatory compliance risks and capabilities.
Know where to look
As information security teams examine the organization being purchased, the following areas warrant thorough consideration:
- Regulatory compliance process and capabilities: Data security and privacy regulations continue to multiply, yet many organizations (especially small to mid-sized companies that were not previously subject to these types of rules) have yet to develop formal compliance policies, processes and capabilities. Numerous companies now subject to GDPR, New York State Department of Financial Services (NYDFS) cybersecurity rules and other regulations may have avoided managing regulatory compliance execution or may not have the internal business structure needed to do so in an effective, efficient and repeatable manner.
- The age of technology infrastructure: Some organizations have technology infrastructure that is nearing, or has surpassed, its end-of-support juncture. Aging technology can lead to unwelcome surprises and increased risk if the deal closes without proper transparency into the current state of the environment.
- Cloud compatibility: Additionally, many companies of all sizes may have made significant investments in new technologies, especially cloud-based infrastructure and systems. Integrating different cloud environments can add complexity to the post-integration process and also give rise to security risks.
Know what to avoid
Several common pitfalls frequently arise during the post-merger integration, and many of these issues can be uncovered and eliminated before the deal closes. These include:
- A lack of in-depth understanding: The most common oversight is straightforward and extremely detrimental: a failure to sufficiently examine and understand the information security environment of the target organization. Too often, post-integration teams start their work and then quickly realize that the real-world technology and information security environment inside the acquired company is markedly different than what they anticipated based on due diligence assessments and documentation. Examples of these unanticipated shortcomings may include hardware and software systems that are closer to end-of-life than expected, or externally facing websites not being properly monitored from a security perspective.
- Disparate control environments: When two companies merge, one of them typically possesses a stronger internal controls environment than the other organization. If this gap is substantial, the better-controlled environment can be undermined unless safeguards are implemented to provide protection during the integration process. In other cases, the two organizations may espouse fundamentally different security philosophies. For example, one organization might value unity over diversified security. These gulfs can also pose security risks.
- Knowledge drain: In some situations, valuable information security knowledge within the acquired company is not well documented. That undocumented knowledge can be lost when employees are terminated as part of rationalization efforts or leave on their own accord. That brain drain can weaken information security efficacy.
- Internal communications breakdowns: Communications among information security groups, IT teams and other cybersecurity stakeholders are crucial to the post-integration effort; they also tend to need significant improvement. Striking the right balance between a swift and secure integration requires frequent — and collaborative — security-related discussions and decision-making among these stakeholder groups.
By clarifying their M&A role, knowing what risks to zero in on and getting an early read on common hindrances, well-informed CISOs will position their companies for M&A success.