Merger & acquisition processes – the security perspective

Merger & acquisition processes

the security perspective

Flavio Gerbino
by Flavio Gerbino
time to read: 13 minutes

Keypoints

  • Buy-outs and take-overs of companies are part of business development
  • Cyber security and risks are often ignored in this process
  • A penetrating view of security is nonetheless essential
  • Data protection and the need-to-know principle must be maintained
  • Failure to do so brings the weaknesses and risks of the divisions together

Systems that do not continually adapt and change face extinction. We know this from evolution, and the biotope of the company is no exception to the rule. Therefore, mergers and acquisitions (M&A) – which currently affect markets, stock exchanges and the economy with renewed force – are important factors in the economic circulatory system. It would be wrong to interpret the current wave of mergers as a game of chance played by share speculators and managers. After all, not every start-up will develop into a corporation, and these in turn do not easily become international market leaders. Larger companies also have to continually buy in products and know-how so that they can stake out and defend their position. So the principles of natural selection, the struggle for life and the survival of the fittest that we find in evolution apply even more strongly to companies.

The general public usually hears about these waves of mergers and take-overs only when a multi-million dollar transaction hits the headlines – as is the case at the moment. But at a level below this, there are often various consolidation processes underway in various sectors, proceeding a lot more steadily, and for longer. And so it is in information security as well, which is currently undergoing reinforcement.

These constant corrections, which receive little attention, have increased since the financial crisis and have led to restructuring, a transformed business environment and new regulatory measures. These adjustments also relate to the increased importance of information security, or cyber security, in companies. However, this new awareness and attention to information and cyber security, and its increased profile in companies, is not adequately reflected in M&A activities.

Current situation

At the moment, there is considerable activity in the pharma, medtech and telecommunications sectors. Much of this activity involves acquisitions, but also portfolio adjustments – sell-offs, in other words. And there is plenty going on in the finance sector. However, this generally comes in the form of small transactions, such as the purchase of divisions or teams, which take place discreetly, without attracting public attention. Shareholder activists also play a part, although as an outsider it is not always easy to discern the reasons why management chooses to restructure a company, selling off some parts and buying in others.

Although due diligence is an essential component of M&A activities in the assessment of the financial capability of a potential takeover candidate, there is a serious shortfall in the assessment of information and cyber security – and the implied risks.

In contrast to the dominant opinions on M&A, one could also assume that not only cost synergies are the success factors in M&A, but that through the acquisition or merger, core competencies can be optimally used or strengthened in the future. This should apply above all to information and security capabilities and competencies.

From this perspective, greater success in company takeovers means the acquired units not only complement but also strengthen the core competencies of the purchasing company. This may be particularly true of information security.

Initial starting points for risk assessment

At what point in the M&A process or due diligence activities should consideration and examination of risk and information security begin?

The primary point to consider is that the purchase and sale of companies already encompass in themselves two significant attack vectors for industrial espionage and cyber criminals. This fact does not receive as much attention as it should in normal M&A activities. At the same time, it is evident that it is precisely these two risk areas that must be assessed accurately and in detail in review procedures or valuation processes of information security and its risks, just like the due diligence process is used to assess market potential, financial obligations, company development and technological maturity, etc.

In fact, for today’s purchaser it is essential to advance the issue of cyber security during the risk assessment of the company under consideration and make it a significant key element. We can be sure that this factor will have a profound and increased impact on company valuation, and ultimately the purchase price, in the future.

Although it should be clear to all that cyber risks may reduce the purchase value considerably (as certain public examples have shown in recent times) and although huge amounts of assets can be wiped out within a short time through attacks from cyberspace, cyber security is nonetheless still not examined in a thorough, systematic and detailed way (autonomously or as a component part) in due diligence!

An optimized perspective enriched with risk aspects of information and cyber security should therefore be incorporated and maintained throughout the entire M&A process, beyond due diligence, and in particular before takeover activities are made public. It is all too plausible that cyber criminals, hackers or frustrated employees might seek to use inadequate confidentiality or security arrangements to intentionally scour the company network for M&A indices to gain personal financial advantage before a takeover becomes public knowledge.

The consequences of such activities could be considerable, to say nothing of the extremely negative publicity. Therefore, it is essential that the purchaser and the takeover target together ensure that effective, targeted security mechanisms are implemented to prevent potential data leaks through weak spots, whether technical or organizational in nature, in their own organizations, in the relevant network and in the infrastructure context.

Data protection neglected in M&A reviews

Numerous stakeholders are supplied with business-critical and sensitive information and data during M&A activities. Companies involved in the transaction process that are in competition with each other or represent completely different interests can gain access to confidential documents. Therefore, dealing with information and data requires particular caution.

This means that access must be restricted to the data required for the purposes of assessment of the company. The interests of affected employees, customers and suppliers must be protected. This demands a good balance of need-to-know requirements.

The review of the company under consideration, particularly its IT systems and data assets, should not take place without regulations in place. Rather, there must be careful prior consideration of what data access that is really required and the data that should not be disclosed.

M&A assessments often take place on site. However, one should also anticipate regular, comprehensive data exchange. Before the beginning of the actual project, in particular, an intensive exchange of data will enable an adequate exploration. Moreover, various stakeholders are drawn in who then also receive data for review.

It must be made impossible for reviewers to gain uncontrolled, free access to the candidate company’s systems and data. What counts here are the principles of data economy, data protection and restriction to the truly necessary data. Secure data exchange through secured channels (encryption) and a systematic deletion of data after it has fulfilled its purpose are further key requirements.

Indicators for adequate security and risks

The following list includes some of the core points that should be systematically considered as the basis for risk assessment:

The following questions must also be answered:

Phases of an M&A process

Phase 1: from screening to negotiation
Screening Search for possible target companies.
Targeting Target company identified and defined.
Preparation Collection of strategic detailed information or even an initial purchase of shares in order to acquire a stake.
Contact & NDA Owner and management (non-disclosure agreement).
Negotiation Initial negotiations, common vision or hostile takeover.
Phase 2: Letter of intent for deal design
Letter of intent/memorandum of understanding Signature of a legally non-binding fundamental agreement in which the interested party or, in the case of the memorandum of understanding, both partners of the transaction document their views.
Due diligence Determination of all critical influencing factors on the true value of the company. These days, this should also include an accurate review of cyber and IT risks: identification of the areas for investigation, assignment of IT functions for review of the due diligence documentation, identification of IT requirements, determination of IT cost factors and values (people, processes, applications, infrastructure).
Deal design Based on the due diligence findings, including purchase price and owners’ stakes.
Phase 3: Signing Day
Day 1 This is the day on which the contracts are signed and come into effect, and the execution of the necessary transaction activities begins.
Post-merger integration Integration of acquisitions or separation of sell-offs: Definition of integration or separation plan, establishment of governance, definition of baseline integration or separation requirements, IT strategy and planning, data segregation and application arrangement planning, IT integration or separation project management. Blueprint execution, IT transaction execution and management, oversight, control and reporting, transfer of third-party contracts, assets and licenses.

Post-merger integration determines success

The integration efforts must primarily concern the interlinking of the operational business. In particular, this includes the combination of business processes and complex IT systems – and in this case a solid security concept is essential.

The company concerned should be accompanied and supported during the integration of day-to-day business of operational management. The combination of day-to-day operations on the basis of optimized business processes and permanent support by the integration management is a central component in realization of the intended synergies. This operational integration must be carried out as a clearly defined and systematically structured process. This enables a thorough integration of the supporting systems and the various security issues.

Integration undertaken too quickly can also have a lasting negative effect on success. The frustration, demotivation and overburdening of employees are just some of the many disadvantages. If integration is carried out too quickly, there is a risk that significant processes and tasks will be only superficially carried out, or not at all. As a consequence, the high risk of poor decisions increases, particularly when action is taken without clear guidelines in matters of information security.

For any company hoping to make a success of its M&A plans, meshing managements and key roles involves much more than just a merger of organization charts. Those responsible for security must have a say at the upper management level to ensure that security goals and risks are not neglected.

Conclusion

The key thinking behind M&A is the creation of synergies; i.e. the creation of value that is greater than the sum of the parts of the combined companies. Convergence plays an important part.

Convergence generally refers to the joint development of two or more starting points, in themselves divergent. From this perspective, convergence should also be seen as a characteristic of M&A activities. But when the risks of two companies are combined in the M&A process, the risk increases for both. It is not only that vulnerabilities and security gaps are different in every company, so too are the priorities applied to possible security strategies. In a merger, therefore, these must be brought into harmony with each other; this is precisely what is meant by convergence and it may well represent the greatest challenge among security considerations.

If it does not succeed, there is a danger that problems are identified, but simply prolonged. This fits the picture of complex M&A processes in which security does not receive the proper consideration. The deferment and postponement of problems is confused with their solution. One buys time and pretends to have room to maneuver, but does not use it – meanwhile, the unresolved problems pile up on the horizon and with them the risks.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here