Don’t Neglect Security in M&A Due Diligence
by Drew Del Matto
Chief Financial Officer at Fortinet
Look at any M&A due diligence checklist and you’ll see the same things: financials, customer information, sales, real estate, intellectual property, contracts—and the list goes on. One thing you may not see is information security, and that can be a crucial mistake.
Like any other critical component of running a business, security needs to be right at the top of the list for M&A due diligence. When combining two companies, they often have different and sometimes even incompatible systems and data. That can create opportunities for hackers. If a company is in the news for a merger or acquisition, it’s a fair bet that hackers and data thieves are going to try their hand at breaching its security. A good business decision can turn bad very quickly if security is an afterthought.
A CFO’s job is to realize the optimal business case, mitigate the risk, and protect the company’s assets, both tangible and intangible. In addition to data, some of a company’s most critical assets are its reputation and the loyalty of customers. An acquisition can make customers of both companies apprehensive. If that’s followed up by a massive breach of sensitive customer data, the companies’ customers will flee in droves.
To avoid that worst-case scenario, here are some things to keep in mind during the M&A process.
Before the Merger
Companies going through a merger or acquisition need to start their security due diligence early in the deal and ensure that the target’s data and environment are clean. That starts with a full audit of the target’s network. Look not only at their tools and systems, but also at their policies and procedures. Is their security well documented, with logs and reports?
If it is, the buyer’s team will need to go through all that documentation to find any previous cybersecurity incidents. How did the target respond to the incident and how did it remediate the issue to avoid a repeat? If that documentation does not exist, the organization may have much bigger issues that could require a comprehensive review by a qualified third party.
From the time the merger or acquisition becomes public knowledge, through to the time when the two companies are finally combined, both companies’ networks need to be monitored daily for attacks and suspicious activity. Two-thirds of attacks come from within organizations, from either careless or disgruntled employees. Since an M&A process often includes restructuring and layoffs, employees can feel nervous and threatened. Fearful or disgruntled employees with access to the data and systems can be a dangerous combination. It’s imperative that customer data is protected throughout the process and that the value of the merger or acquisition (and other details) is not being leaked.
Bring Two Companies Together, Securely
From a security standpoint, the first thing the IT team must do is combine and align two different network security policies. This can be complicated. There are a lot of decisions to make. Which elements of each policy will be kept? Does the buyer combine the two policies or create an entirely new one? Whatever approach the buyer takes, make sure the decisions result in improved security for the new organization and that they leave no gaps that can be exploited.
Consider an Integrated Security Platform
M&A deals always present opportunities to increase efficiency by combining systems and eliminating redundancies, and the security side is no different. A merger or acquisition is an opportunity to look at both organizations’ network security systems and consider moving to an integrated, common platform. Most organizations have many different security devices, often from many different vendors, and most likely, those devices don’t talk to each other. That makes it very difficult to share information across the network and respond to threats quickly.
Now, imagine combining two sets of these siloed security solutions. Instead of improving the combined company’s security, they are more likely to slow detection and response times dramatically. The ideal solution is an architectural approach that ties together discrete security solutions into an integrated whole.
The buyer may be hesitant to spend more money during an acquisition. That’s understandable. But imagine an integrated system that automates the processing and analysis of threat information from many different sources, quickly identifies network security threats, synchronizes a response, and even automates the identification, isolation, and analysis of suspicious files. All of this, if done manually, is labor-intensive and time-consuming and is prone to missing complex threats.
However, an integrated platform or security fabric can dramatically improve network security; help the buyer avoid costly, damaging breaches; and do so without adding security headcount. In a time when personnel budgets are tight and cybersecurity talent is in short supply, consider how much that is worth.
Future-Proofing with Internal Segmentation
A merger or acquisition is also a good opportunity to consider implementing more future-proof technologies, like internal segmentation of the network. With networks becoming increasingly complex and cyberattacks increasingly sophisticated, even the best firewalls can’t stop everything. And during the integration phase of two different networks, this is truer than ever.
Once an attack reaches the internal network, IT may not be able to detect it, let alone stop it. That’s why some data breaches remain undiscovered for months or even years while cybercriminals siphon off critical information. Internal segmentation firewalls are designed to control traffic between network segments, thereby isolating and containing any malicious code that has made its way into the internal network and limiting the damage it can do.
Get All Your People On Board
Even the best security systems and procedures can be thwarted, intentionally and unintentionally, by people. Communicate early and often to employees to ease their concerns about the merger. Then make sure the company implements consistent security policies and best practices, and thoroughly educates employees on them through an awareness program and ongoing training. The more security-savvy the people are, the better they’ll be at supporting security efforts.
The bottom line: neglecting security during a merger or acquisition can have disastrous results. On the other hand, incorporating security considerations from the earliest stages of the process can result in a combined organization that is stronger, more secure, and more efficient than the original two companies ever were. The latter approach also helps realize and drive the intended value of the M&A decision.