Making cybersecurity a priority in mergers and acquisitions: integration

The change inevitable in a post-deal situation makes the new company a ripe target for cyber criminals, who often capitalize on the security vulnerabilities that can arise during system implementations, lack of clarity or governance, and employees who may be anxious about losing their jobs. How does a smart, strategic CIO circle the wagons and fortify his or her data?

Last time, we looked at the importance of rigorous cybersecurity assessment during the due diligence phase of acquisitions. There we saw that preparation — getting ahead of the game — is the key to success. The same is true for integration.

When companies integrate, they need to reconcile all of their separate components as part of their 100-day plan for integration: not only different enterprise resource planning (ERP), human resources (HR) and other systems, but also the way security is managed in a cohesive way between the two legacy companies, including governance, processes, resources and systems. In some cases, a company will simply allow an acquisition to keep running their own systems, but this is only rarely the more practical course. To keep data safe, a buyer’s first task is almost invariably the normalization of divergent security systems.

“The watchwords of successful cybersecurity integration are organization and rationalization,” says Micky Houston, Deal Advisory’s Information Technology lead at KPMG. “This is essential not only to keep intruders at bay, but is also relevant from a cultural perspective as well. An immediate and concerted effort to normalize processes is key — you need to be able to offer executives a thoughtful, well-articulated strategy beforehand.”

That integration strategy generally involves two phases: interim integration and long-term integration. Acquisitions often occur more quickly than new security protocols evolve, so a successful integration tends to begin with a strong interim plan. Over time, as the two entities coalesce into a whole, a long-term strategy emerges.

An effective interim plan begins with a more holistic look at cyber from the perspective of the newly merged entity. This includes changes to processes, resources, technology and governance that can impact the availability or confidentiality of sensitive data. Because this is a temporary, transitionary stage, the goal is not to establish a permanent solution, but to assess cyber maturity across the newly merged organization and from that drive a prioritized approach to cyber risk management. As with other risk mitigation, higher risk and quick hit areas should be prioritized and interim controls established, including structured employee access, while a more detailed and comprehensive strategy and road map is built and actioned in parallel.

“At all times during the early stages of integration,” Houston says, “It’s vital to know who needs access to what information, and why. On one hand, employees need to be able to carry out their work; but on the other, every precaution has to be taken to make sure that neither bad actors nor carelessness result in a security breach, which can be devastating.”

Some of the key issues that need to be tackled for the long-term plan include developing a security strategy, creating a data governance system, and assigning a management team. Key to this plan includes a clear top-town message and strategy on what is to be implemented, protected and invested in so all employees are on the same page as it pertains to cyber security. And where most companies fail in this implementation is stopping at the management message. Continued training of all employees on the risks associated with data sharing, third parties and cyber protections will reinforce the new culture equipped to defend itself against bad actors.

As the integration progresses, the integration team also needs to put a targeted review in place to monitor the cybersecurity of the merged entity on an established schedule. Depending on the industry and the cybersecurity risks, the merged entity might want to develop an automated continuous monitoring system that can evaluate any risks on a real-time basis.

Due diligence should ensure that there is a plan to make sure such cybersecurity prerequisites are met from the first moment of the integration process. Integration should begin with an agile interim plan that provides the necessary access for employees and restricts data completely wherever it’s not needed.