Security risks in mergers and acquisitions

Mergers and acquisitions (M&A) between two companies bring a unique synergy that cannot be obtained by one company alone. Along with synergy, M&A bring a lot of things to the table such as:

• Product diversification
• Customer base increase
• Cost and overhead reduction
• Quality staff increase
• Competition reduction

One of the aspects rarely discussed during M&A is security as it relates to potential risks accompanying the deal.

Merger vs. acquisition

Mergers and acquisitions are often used synonymously. However, they mean different things. When a target company (or buyer) takes over another company and establishes itself as the owner, this is typically called as an acquisition. A merger, on the other hand, is when two independently owned companies agree to move forward as one unit rather than separately owned or operated entities.

Why consider security in a merger or acquisition?

In the words of Gerald Brom:

“Everything comes with a price. Everything. Some things just cost more than others.”

That being said, understand that securing an enterprise too comes at a cost. Early identification of risks, vulnerabilities, and threats for securing the enterprise during M&A helps reduce cost, efforts required to resolve these issues, and maintenance of industry reputation. Security must be taken into consideration as early as possible to avoid any negative ramifications. Here, we’ll define high level security risks that need to be facilitated for a smooth integration between the companies involved in M&A.

What are the different security aspects?

The merging or acquisition of two companies requires an in-depth analysis of all different domains of security with respect to both companies. As an example, let’s say two companies (A and B) have similar product lines. Company A acquires Company B. Company A might have a different set of security policies and procedures for deploying an application into production than Company B. The two companies may also have a different risk assessment methodology.

Here’s a glance at the different aspects of security that must be considered during M&A:

• Physical security – the need to secure physical location(s) of the company and employee access to those locations.
• Data security for electronic and physical data – involves employees and clients data storage, data clean-up, backups, and recovery procedures.
• Application security – one of the core aspects during a merger or acquisition is consideration of application security. Companies tend to integrate various COTS (Commercial-Off-The-Shelf) tools, internal tools, and applications for continuity of the services and offerings. Hence, a deeper dive into the following sections must be performed:
  • Application penetration testing – dynamic and static analysis of applications must be conducted prior to integration with current systems.
  • Mobile application security – integration of various mobile applications and services offered by the companies involved in M&A.
• Network security – care must be taken during integration of workstations, network devices (firewalls, routers, access points, etc.), web servers, and remote connectivity for employees.
• Architectural risk analysis – during M&A, different architectures of applications, technology stacks, design models, and approaches to a secure SDLC integrate. These applications and infrastructure components must be analyzed thoroughly to understand the threats and critical assets requiring controls for remediation of any vulnerability due to design flaws.
• Policies, compliance, and standards – adopting the policies and standards of the buyer before on-boarding the applications. Compliance of applications and tools as per the standards (NIST, FIPS, PCI DSS, HIPAA, etc.).
• Other aspects such as frequency of penetration testing (of internal and external applications), code review of applications, threat modeling, disaster recovery, and incident handling must also be assessed.

How can I get started?

Companies involved in M&A can take a few steps to safeguard against various types threats. Here are a few considerations allowing for a smooth integration and the mitigation of potential security risks:

• Adhering to the secure SDLC approach for new technologies built after M&A.
• Assessment of vendor tools / software products being on-boarded.
• Prioritization of testing and remediation efforts for each application in the portfolio.
  • A security architecture survey focusing on each application’s design and deployment in the portfolio.
• Threat modeling and architecture risk analysis for detecting flaws in the design of an application or architecture.
• Assessment of physical locations, network devices, workstations, and remote connectivity to offices.
• Mobile application penetration testing for applications integrated during M&A.
• Application penetration testing for assessing server side APIs and scanning for vulnerabilities using automated and manual techniques.

The bottom line

Firms involved in M&A must weigh pros and cons during the process. Thoughtful consideration of the threats, risks, and vulnerabilities that accompany the deal must also be conducted. Consideration of the above controls, involving the right assessor, and a thoughtful decision will reflect a combination of securing your company, securing customer’s data, and securing employees data.