Inherited risk: The downside of mergers and acquisitions
2015 has been a year of abundant changes for many enterprises from private equity firms to telco companies.
Trustwave, which announced the completion of its acquisition by Singapore Telecommunications Limited (Singtel) in late August, had itself acquired many companies in the past.
Steve Kelley, senior vice president of product and corporate marketing at Trustwave, said, “From an M&A perspective, I’ve never seen the industry as hot as it is today. One of the key reasons is that security has gone from being an IT risk to really a business risk, and that is what is driving a lot of the M&A activity.”
Businesses are beginning to understand that despite increased risks and growing threat vectors there is no perfect security. Kelley said, “We see risks shifting from IT to business risks. Irrespective of M&A, the greatest concern is data security. An attack on a company is not going to cause issue until some type of data is compromised.”
The goal of many mergers and acquisitions, Kelley said, “Is protecting organizations against sensitive data loss, whether it’s credit card data, customer data, or intellectual property.”
Steve Kelley, senior vice president of product and corporate marketing at Trustwave
Enterprises around the world and across industries have been engaging in mergers and acquisitions in pursuit of growth and development, but they have also had to deal with unexpected security concerns.
James Robinson, director, risk and threat management, Optiv said, “It’s important to break a merger down into a couple different pieces.” Doing due diligence before engaging in conversations means asking the right questions.
Robinson said, “Companies should be asking, ‘What is their security program How do they operate Is it a good program or a security facade’” These questions should be at the forefront of any acquisition conversation in order to avoid issues after a deal has closed.
When investigating the security program of an enterprise they might acquire, “Companies should be looking at the way that the operations exist, the documentation they have, their implemented policies and procedures, whether they have gone through their own certification process, and whether they’ve been validate by a third party,” said Robinson.
Knowing the difference between a good security program and a facade will help the acquiring company to identify the wrinkles and gaps in security. “If there is no security leader, no updated procedures, or they don’t have a program that is all encompassing, these are leading indicators that it’s more of a risk,” said Robinson.
While these glitches might be risky, they are not necessarily deal breakers as much as they are negotiation points. Being informed about the security programs of the acquiring company or company being acquired can help to mitigate some risks, but as enterprises work through the M&A process, new and unexpected threats may arise.
Robinson said, “Going into the next stages of M&A you are introducing more risk to the work force which could result in an internal adversary who isn’t in support of the acquisition.” Security leaders usually are not part of these discussions, but Robinson suggested that they should be to the extent that it is possible.
[ ALSO ON CSO: Cloud security sector leads cybersecurity mergers and acquisition report ]
Again, due diligence means looking at every potential risk, so knowing the normal attrition rate of the other company will help a security team focus on the potential of internal threats once the word gets out.
According to Robinson, a top concern for executives post-merger is over-communication. “Keep in mind that employees are not always going to feel as excited about a corporate deal as the executives. The goal for the security team is to reduce the amount of internal threats you have,” said Robinson.
Gary Alterson, senior manager for consulting services at Cisco, agreed that internal threats present a security challenge for enterprises going through M&As. “The relevance and volume and risk posture in terms of internal threats differs depending on the type of the business.”
Employees of smaller organizations might not feel as threatened as those in larger companies.
Alterson said, “If an organization purchases or is merging with another one for efficiency or industry consolidation, it is more likely to have a higher risk profile for internal threats because there is more likelihood of layoffs, which creates this feeling of winners and losers.”
Whether it’s a disgruntled employee or a criminal targeting an enterprise, when companies join forces with another, they also combine their security threats. Alterson said, “In addition to acquiring the assets, they are also acquiring the risk profile. Often times different companies have different threat profiles. Especially if it is an Asian market or a new area.”
“The challenge for CISOs,” said Alterson, “Is that they might not have a full view onto threats in that particular market and might not have a full appreciation of the threats involved in that area and how to react to those threats.”
Mergers and acquisitions result in changes in strategies and operations that can also impact security. Alterson said, “One example is an organization that has been primarily involved in B2B operations and not consumer facing acquiring a unit that was more consumer facing.”
“As a result, that organization was acquiring different kinds of data such as personal information, credit card data, banking data that is often the target of a lot of mass distributed malicious code or identity feeds that a B2B wasn’t prepared to deal with before,”Alterson continued.
What they don’t know can hurt them, so enterprises need to understand the security risks involved in mergers and acquisitions.
Alterson said, “Sometimes organizations are buying a company for specific products or services. In those cases there should be deep dive that should include pen testing or application security testing. I would also recommend that organizations ask for a disclosure of past security breaches.”
That’s not a standard due diligence question you’ll get out of a finance person, said Alterson. But if security leaders aren’t part of the negotiating team, these types of questions need to come from the finance person, the CEO, or the legal representation.
Jonathan Thompson, founder and CEO, Rook Security, said, “One of the challenges is that the CISO is not involved early enough.” The security of the enterprise as well as the security of critical business transactions would benefit from companies widening their circle of trust to include the CSO or CISO in the early parts of M&A conversations.
Thompson said, “One of our global 500 clients is going through an international merger. They would frequently go to hotels to conduct meetings and would use the hotel Internet.” Because they were discretely conducting transactions, they were compromising the security of the enterprise by using unsecured WiFi.
When companies enter into mergers and acquisitions, it’s critical for both sides to understand the security policies and the ways in which they need to be intertwined into a new security architecture that protects critical data.