close search bar

Sorry, not available in this language yet

close language selection

Security risks in mergers and acquisitions

Mergers and acquisitions (M&A) between two companies bring a unique synergy that cannot be obtained by one company alone. Along with synergy, M&A bring a lot of things to the table such as:

  • Product diversification
  • Customer base increase
  • Cost and overhead reduction
  • Quality staff increase
  • Competition reduction

One of the aspects rarely discussed during M&A is security as it relates to potential risks accompanying the deal.
Security Risks in Mergers and Acquisitions

Merger vs. acquisition

Mergers and acquisitions are often used synonymously. However, they mean different things. When a target company (or buyer) takes over another company and establishes itself as the owner, this is typically called as an acquisition. A merger, on the other hand, is when two independently owned companies agree to move forward as one unit rather than separately owned or operated entities.

Why consider security in a merger or acquisition?

In the words of Gerald Brom:

“Everything comes with a price. Everything. Some things just cost more than others.”

That being said, understand that securing an enterprise too comes at a cost. Early identification of risks, vulnerabilities, and threats for securing the enterprise during M&A helps reduce cost, efforts required to resolve these issues, and maintenance of industry reputation. Security must be taken into consideration as early as possible to avoid any negative ramifications. Here, we’ll define high level security risks that need to be facilitated for a smooth integration between the companies involved in M&A.

What are the different security aspects?

The merging or acquisition of two companies requires an in-depth analysis of all different domains of security with respect to both companies. As an example, let’s say two companies (A and B) have similar product lines. Company A acquires Company B. Company A might have a different set of security policies and procedures for deploying an application into production than Company B. The two companies may also have a different risk assessment methodology.

Here’s a glance at the different aspects of security that must be considered during M&A:

  • Physical security – the need to secure physical location(s) of the company and employee access to those locations.
  • Data security for electronic and physical data – involves employees and clients data storage, data clean-up, backups, and recovery procedures.
  • Application security – one of the core aspects during a merger or acquisition is consideration of application security. Companies tend to integrate various COTS (Commercial-Off-The-Shelf) tools, internal tools, and applications for continuity of the services and offerings. Hence, a deeper dive into the following sections must be performed:
    • Application penetration testing – dynamic and static analysis of applications must be conducted prior to integration with current systems.
    • Mobile application security – integration of various mobile applications and services offered by the companies involved in M&A.
  • Network security – care must be taken during integration of workstations, network devices (firewalls, routers, access points, etc.), web servers, and remote connectivity for employees.
  • Architectural risk analysis – during M&A, different architectures of applications, technology stacks, design models, and approaches to a secure SDLC integrate. These applications and infrastructure components must be analyzed thoroughly to understand the threats and critical assets requiring controls for remediation of any vulnerability due to design flaws.
  • Policies, compliance, and standards – adopting the policies and standards of the buyer before on-boarding the applications. Compliance of applications and tools as per the standards (NIST, FIPS, PCI DSS, HIPAA, etc.).
  • Other aspects such as frequency of penetration testing (of internal and external applications), code review of applications, threat modeling, disaster recovery, and incident handling must also be assessed.

How can I get started?

Companies involved in M&A can take a few steps to safeguard against various types threats. Here are a few considerations allowing for a smooth integration and the mitigation of potential security risks:

The bottom line

Firms involved in M&A must weigh pros and cons during the process. Thoughtful consideration of the threats, risks, and vulnerabilities that accompany the deal must also be conducted. Consideration of the above controls, involving the right assessor, and a thoughtful decision will reflect a combination of securing your company, securing customer’s data, and securing employees data.

Anupam Mehta

Posted by

Anupam Mehta

Anupam Mehta

Anupam Mehta is a security consultant at Synopsys. He holds a Bachelor's Degree in Information Technology from Vellore Institute of Technology (India) and a Master’s Degree in Security Informatics from Johns Hopkins University. Anupam specializes in web application security. He also works to provide consulting services in secure design, architecture, and deployment of in-house and third-party applications. In his free time, Anupam enjoys spending time with family, writing poetry, cooking, and watching sci-fi, thriller, and action movies and TV shows. He also loves to play racquetball, cricket, lawn tennis, and badminton.

More from Managing security risks