Systems that do not continually adapt and change face extinction. We know this from evolution, and the biotope of the company is no exception to the rule. Therefore, mergers and acquisitions (M&A) – which currently affect markets, stock exchanges and the economy with renewed force – are important factors in the economic circulatory system. It would be wrong to interpret the current wave of mergers as a game of chance played by share speculators and managers. After all, not every start-up will develop into a corporation, and these in turn do not easily become international market leaders. Larger companies also have to continually buy in products and know-how so that they can stake out and defend their position. So the principles of natural selection, the struggle for life and the survival of the fittest that we find in evolution apply even more strongly to companies.

The general public usually hears about these waves of mergers and take-overs only when a multi-million dollar transaction hits the headlines – as is the case at the moment. But at a level below this, there are often various consolidation processes underway in various sectors, proceeding a lot more steadily, and for longer. And so it is in information security as well, which is currently undergoing reinforcement.

These constant corrections, which receive little attention, have increased since the financial crisis and have led to restructuring, a transformed business environment and new regulatory measures. These adjustments also relate to the increased importance of information security, or cyber security, in companies. However, this new awareness and attention to information and cyber security, and its increased profile in companies, is not adequately reflected in M&A activities.

Current situation

At the moment, there is considerable activity in the pharma, medtech and telecommunications sectors. Much of this activity involves acquisitions, but also portfolio adjustments – sell-offs, in other words. And there is plenty going on in the finance sector. However, this generally comes in the form of small transactions, such as the purchase of divisions or teams, which take place discreetly, without attracting public attention. Shareholder activists also play a part, although as an outsider it is not always easy to discern the reasons why management chooses to restructure a company, selling off some parts and buying in others.

Although due diligence is an essential component of M&A activities in the assessment of the financial capability of a potential takeover candidate, there is a serious shortfall in the assessment of information and cyber security – and the implied risks.

In contrast to the dominant opinions on M&A, one could also assume that not only cost synergies are the success factors in M&A, but that through the acquisition or merger, core competencies can be optimally used or strengthened in the future. This should apply above all to information and security capabilities and competencies.

From this perspective, greater success in company takeovers means the acquired units not only complement but also strengthen the core competencies of the purchasing company. This may be particularly true of information security.

Initial starting points for risk assessment

At what point in the M&A process or due diligence activities should consideration and examination of risk and information security begin?

The primary point to consider is that the purchase and sale of companies already encompass in themselves two significant attack vectors for industrial espionage and cyber criminals. This fact does not receive as much attention as it should in normal M&A activities. At the same time, it is evident that it is precisely these two risk areas that must be assessed accurately and in detail in review procedures or valuation processes of information security and its risks, just like the due diligence process is used to assess market potential, financial obligations, company development and technological maturity, etc.

In fact, for today’s purchaser it is essential to advance the issue of cyber security during the risk assessment of the company under consideration and make it a significant key element. We can be sure that this factor will have a profound and increased impact on company valuation, and ultimately the purchase price, in the future.

Although it should be clear to all that cyber risks may reduce the purchase value considerably (as certain public examples have shown in recent times) and although huge amounts of assets can be wiped out within a short time through attacks from cyberspace, cyber security is nonetheless still not examined in a thorough, systematic and detailed way (autonomously or as a component part) in due diligence!

An optimized perspective enriched with risk aspects of information and cyber security should therefore be incorporated and maintained throughout the entire M&A process, beyond due diligence, and in particular before takeover activities are made public. It is all too plausible that cyber criminals, hackers or frustrated employees might seek to use inadequate confidentiality or security arrangements to intentionally scour the company network for M&A indices to gain personal financial advantage before a takeover becomes public knowledge.

The consequences of such activities could be considerable, to say nothing of the extremely negative publicity. Therefore, it is essential that the purchaser and the takeover target together ensure that effective, targeted security mechanisms are implemented to prevent potential data leaks through weak spots, whether technical or organizational in nature, in their own organizations, in the relevant network and in the infrastructure context.

Data protection neglected in M&A reviews

Numerous stakeholders are supplied with business-critical and sensitive information and data during M&A activities. Companies involved in the transaction process that are in competition with each other or represent completely different interests can gain access to confidential documents. Therefore, dealing with information and data requires particular caution.

This means that access must be restricted to the data required for the purposes of assessment of the company. The interests of affected employees, customers and suppliers must be protected. This demands a good balance of need-to-know requirements.

The review of the company under consideration, particularly its IT systems and data assets, should not take place without regulations in place. Rather, there must be careful prior consideration of what data access that is really required and the data that should not be disclosed.

M&A assessments often take place on site. However, one should also anticipate regular, comprehensive data exchange. Before the beginning of the actual project, in particular, an intensive exchange of data will enable an adequate exploration. Moreover, various stakeholders are drawn in who then also receive data for review.

It must be made impossible for reviewers to gain uncontrolled, free access to the candidate company’s systems and data. What counts here are the principles of data economy, data protection and restriction to the truly necessary data. Secure data exchange through secured channels (encryption) and a systematic deletion of data after it has fulfilled its purpose are further key requirements.

Indicators for adequate security and risks

The following list includes some of the core points that should be systematically considered as the basis for risk assessment:

• Data security: To identify whether established identification and classification of sensitive data, intellectual property and enterprise value contribute to security.
• Access control: To ensure that guidelines and processes minimize the risk of unauthorized access to sensitive data.
• Threat detection and defense: To review how the security system recognizes, analyzes, escalates, thwarts and contains modern, complex attacks.
• Infrastructure security: To gain an overview of the administration of the network and the systems and service contexts, and reduce the risk of compromise.

The following questions must also be answered:

• Does the company know what its key assets are? Prominent cyber event cases clearly demonstrate that companies are not able to even classify their data, so they are incapable of declaring what is important to them. Usually, one gets the idea that everything is very important. Naturally, key assets must be recognized and protected. Therefore, reviews of security arrangements and the measures in this context should be subject to particular attention.
• Is there adequate risk management in place and does it result in a realistic picture of the possible (sector-specific) threats? Unfortunately, not all companies are aware of the cyber risks to which they may be exposed. If there is no clear arrangement, it can be assumed that the existing security measures cannot achieve their required effectiveness, or are not adequately or consistently coordinated counteract real threats.
• Are elementary security processes in place? Technical security is not nearly enough. Tested and proven security processes sometimes directly influence the risk of incurring high financial damages. A resolute approach to acute cyber events and incidents, in particular, is a key criterion when evaluating the cyber competency of a company. Another reliable indicator of good security processes is the way identity and access management are handled, particularly in relation to privileged accounts.
• What is the degree of implementation of technical protective measures? How is the security technology structured? Important starting points include consideration of the IT strategy right up to the architecture, the network, the zoning, development, malware protection, intrusion prevention, etc. A crucial issue is that most technical protective arrangements today can be circumvented, so the focus must be placed on whether a company has established solutions that can detect intrusions and undesirable activities as quickly as possible. In the future, the time between detection and the resolution of a cyber event will decide the degree of potential damage.
• What security incidents has the company faced to date? Even well-protected companies are not spared the effect of security incidents, so the analysis and post-processing of incidents represents a further meaningful indicator of the quality of a company’s security. Which incidents occurred when and, most importantly, how did the company respond? Did it manage to restore its reputation, were there legal and regulatory requirements, and was communication to the outside world handled appropriately? Were appropriate lessons drawn from the incidents that led to improvement of the security system?

Phases of an M&A process

Post-merger integration determines success

The integration efforts must primarily concern the interlinking of the operational business. In particular, this includes the combination of business processes and complex IT systems – and in this case a solid security concept is essential.

The company concerned should be accompanied and supported during the integration of day-to-day business of operational management. The combination of day-to-day operations on the basis of optimized business processes and permanent support by the integration management is a central component in realization of the intended synergies. This operational integration must be carried out as a clearly defined and systematically structured process. This enables a thorough integration of the supporting systems and the various security issues.

Integration undertaken too quickly can also have a lasting negative effect on success. The frustration, demotivation and overburdening of employees are just some of the many disadvantages. If integration is carried out too quickly, there is a risk that significant processes and tasks will be only superficially carried out, or not at all. As a consequence, the high risk of poor decisions increases, particularly when action is taken without clear guidelines in matters of information security.

For any company hoping to make a success of its M&A plans, meshing managements and key roles involves much more than just a merger of organization charts. Those responsible for security must have a say at the upper management level to ensure that security goals and risks are not neglected.

Conclusion

The key thinking behind M&A is the creation of synergies; i.e. the creation of value that is greater than the sum of the parts of the combined companies. Convergence plays an important part.

Convergence generally refers to the joint development of two or more starting points, in themselves divergent. From this perspective, convergence should also be seen as a characteristic of M&A activities. But when the risks of two companies are combined in the M&A process, the risk increases for both. It is not only that vulnerabilities and security gaps are different in every company, so too are the priorities applied to possible security strategies. In a merger, therefore, these must be brought into harmony with each other; this is precisely what is meant by convergence and it may well represent the greatest challenge among security considerations.

If it does not succeed, there is a danger that problems are identified, but simply prolonged. This fits the picture of complex M&A processes in which security does not receive the proper consideration. The deferment and postponement of problems is confused with their solution. One buys time and pretends to have room to maneuver, but does not use it – meanwhile, the unresolved problems pile up on the horizon and with them the risks.

About the Author

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Links

• https://www.tagesschau.de/ausland/yahoo-133.html