Insights & Reports > Kroll Global Fraud Report

---

Stephen D. Baird

---

A key goal in Mergers and Acquisitions (M&A) is to create economic value greater than the sum of the two companies separately. One of the transaction risks often overlooked is the information security footprint of the organizations involved. With data security threats at an all time high, and with imperiled companies forced to make painful and risky cuts in their information security budgets, the prudent corporate suitor should insist on a thorough information security assessment as part of routine due diligence. Using a company’s own information security team and an outside expert can significantly reduce related cyber risks.

Many companies evaluating strategic transactions consider the potential costs and benefits of integrating workforces, facilities, functions, and IT systems. The compatibility of information security postures, however, is often left out. A significant gap between the information security approaches of the two companies can result in substantial unanticipated costs. Assessing compatibility in this field is not a simple task: very little uniformity in approach exists beyond the basics of firewalls and virus protection. For example, many companies still have not implemented full-disk encryption for corporate laptops. Many others have not deployed robust intrusion detection or prevention systems, let alone maintained sufficient qualified staff to monitor and maintain them. Facing increasingly sophisticated attacks – both internal and external – on their corporate intellectual property, credit card numbers, and other identity data, even a company with state-of-the-art defenses a year ago may be dangerously under protected today. Two companies that are adequately protected as standalone entities might expose themselves to risk during integration if their approaches to information security are incompatible.

An internal or external expert can help the M&A team to make informed decisions by providing a security assessment, helping to evaluate the target company’s security program, integrating the two security organizations, and assessing the potential impact of information security risks on competitiveness, financial loss, and legal liability.

An information security due diligence investigation assesses a range of risks including: intellectual property loss; flaws in incident response methodology or information asset identification; security gaps created by absorbing and integrating unknown and differing technologies posttransaction; employee technology usage discrepancies; data leakage; and insider malfeasance.

Beyond due diligence, information security expertise can assist with every phase of the M&A process. Leakage of information relating to the deal – anything from unsecured e-mail transmission to loss of printed documents – can cause significant damage or even jeopardize the transaction. Consequently, all relevant staff should be made aware of the gravity of non-compliance with basic security rules. In fact, companies should consider adopting special secure communication measures for all personnel involved in evaluating a potential deal.

If the risks surrounding information security are ignored, a potentially profitable merger or acquisition may fail to deliver anticipated returns, and the organization may have to incur significant costs along with a loss of goodwill, reputation, and possibly future business opportunities.

Points to Consider A seasoned and well-rounded M&A team should include internal or external information security experts. Depending on the nature of the merger and perceived level of risk, these experts can be advisory or proactive. An IT security audit and vulnerability assessment as part of M&A due diligence can assure management that the acquired organization follows best practices in this area. If not readily available, request copies of any external audit or assessment findings and work with the acquisition’s legal department to understand the laws, regulations, and standards with which it must comply. An information security monitoring protocol instituted for all phases of the acquisition process will help ensure the confidentiality and integrity of the process and its associated communications. Identifying key information assets and their locations through a risk assessment process is necessary to understand what you are trying to protect, and hence its value to the acquirer. Accurate information asset definitions will assist in the selection of controls to defend that data. The overarching goal is to protect organizational information assets, contribute to the security of interdependent critical infrastructures, and thus help protect the company’s intellectual property. Ensure that your security team establishes metrics to measure progress on the complete assimilation of information technology and information security management programs. These should provide information about the state of completion of risk assessments, security impact analyses, and information security plans for all critical systems and business entities after consolidation. Review all contracts and third-party relationships. Any third party security monitoring should in particular be reviewed to ensure that no lapses of important security logging, review, and oversight occur during the M&A process.