The Ultimate Cybersecurity Checklist for Mergers and Acquisitions

Cybersecurity is a mission-critical area of focus for businesses in the digital age. However, no two businesses go about defending their digital infrastructures the same way. In a vacuum, that is not a bad thing. It means businesses can adapt their cybersecurity measures to reflect their priorities and needs. It also means that potential attackers will not face a cookie-cutter defense when they start probing for weaknesses.

Unfortunately, that reality means the mergers and acquisitions (M&A) process is often a cybersecurity minefield for businesses involved in such transactions. First and foremost, it raises the possibility that the acquiring firm will inherit the security issues of its acquisition. That is what happened to Marriott when it acquired Starwood Hotels without realizing that the latter already had an attacker embedded in its systems.

At a minimum, a lengthy and comprehensive cybersecurity due diligence process is advisable before the consummation of any M&A deal. Secondly, even after the process of integrating the two firms involved in an M&A begins, it is a good idea for the Chief Information Security Officer (CISO) or equivalent of the new entity to follow a strict cybersecurity checklist as they complete the necessary work.

To help with that process, the experts here at Outsource IT have prepared the ultimate cybersecurity checklist for mergers and acquisitions. It can and should serve as the framework any CISO uses to navigate the complex cybersecurity ramifications of an M&A. Let us get right into it.

Phase One: Look Before You Leap

As the Marriott-Starwood data breach and countless other incidents like it demonstrate, it is hazardous to rush into an M&A without doing the IT security homework first. The first phase of that homework is to conduct a thorough cybersecurity risk evaluation of the M&A target firm. Of course, the specifics of that process will vary depending on the size and type of business, but a typical cybersecurity risk evaluation will include the following steps:

Identify all IT assets.
Identify the type and scope of the threats the existing organization may face.
Model the consequences and outcomes of a potentially successful attack.
Analyze the existing defensive measures.
Audit the infrastructure to look for obvious weaknesses or any attacks-in-progress.
Identify existing compliance responsibilities and measures, with an eye toward deficiencies or oversights.
Document everything.

At this stage, it should be possible to see if both firms involved in the M&A have a compatible cybersecurity posture, infrastructure, and culture. If not, evaluating the size of the gulf between the two organizations is the next step to undertake. Doing so should provide some useful information on how hard the integration process will be as the wider M&A process moves forward.

It is also a good idea to go over how much and what type of data the target firm will bring with it. That will help to form the basis of a plan to catalog and secure that data later in the M&A process.

Phase Two: Creating an Integration Plan

The next step in the M&A cybersecurity checklist is to begin forming an integration plan for the two existing entities. That effort should start with identifying any cybersecurity overlaps that exist between the two.

For example, if the two firms share common vendors or technologies, it is typically easiest to work with those vendors to create new, unified infrastructure and systems. Where cybersecurity is concerned, an M&A is not the time to reinvent the wheel.

On the other hand, if there are overlaps that do not involve common vendors and technologies, this is the stage to make some decisions. For example, if the acquiring firm has existing contracts and relationships with 3rd-party cybersecurity firms that make the other firm’s contracts redundant, this is the time to evaluate those options and decide which to discontinue and which to carry forward. Then, a thorough review process to make sure the contract terminations do not overlook any critical cybersecurity capabilities should follow.

It is also a good idea at this stage to look at the two organizations’ cybersecurity protocols (using the information gathered in the first step) to draft an action plan to integrate them. This is largely a matter of deduplication and the combination of both organizations’ cybersecurity strengths. The result should be a new comprehensive cybersecurity protocol that meets the needs and goals of the combined organization.

At this point the acquiring firm should undertake a complete analysis of the data it is about to ingest. This process should include a deep dive into any pertinent regulatory or compliance issues that come with the data. The result of the process should be a complete plan that details where the data will end up in the combined infrastructure, who is responsible for it, and how it will fit into the broader post-M&A compliance picture.

Phase Three: Execute the Integration Plan

If the first two phases went well, phase three of the process should be the most straightforward one. It is conducting the actual integration work spelled out in phase two. In most cases, the process should be relatively headache-free. However, it is a good idea to have ongoing oversight meetings, including all the principals involved in the work throughout the integration process. That way, if any issues that were not considered in the analysis and planning phases crop up, everyone involved can agree on a solution together. This will eliminate any unknown integration variables that could create headaches later on.

When the physical integration work is complete, the next step is to review it. It is advisable, wherever possible, to have the members of the integration team switch roles for the review process. Having a fresh set of eyes on each process minimizes the chances that an error slips through the cracks. For an even more thorough review process, hiring an outside IT consultancy can help a great deal. They will approach the review process with no preconceptions and can catch issues that the original team could have missed. In such a complex and demanding environment, it is only natural for the people who planned the project to have an unintentional blindness when the time comes to review their own outcomes.

Phase Four: Penetration Testing, Mitigation, and Risk Analysis

The final phase of the M&A cybersecurity checklist is to exhaustively test the security of the new combined infrastructure. It is almost impossible for two disparate companies to merge into a single entity without creating some new cybersecurity vulnerabilities. No matter how thorough the planning and how flawless the execution, there is almost always an unseen vulnerability an attacker can exploit.

This process should begin with penetration testing. Hiring an outside firm to probe for cybersecurity weaknesses is the most reliable way to find out if the new infrastructure performs as expected. The penetration testers will complete their work and produce a report that includes details of any vulnerabilities remaining in the combined infrastructure. After the business takes steps to patch or mitigate those vulnerabilities, the penetration testers will revisit the flaws to see if the changes did the trick.

With the penetration testing out of the way and the new infrastructure secured, the next step is to perform another risk analysis. This is a repeat of the process completed during phase one, except with the new combined infrastructure under scrutiny. The idea is to identify the types and scope of the cybersecurity threats the new business entity faces. Modeling of a worst-case scenario attack should then follow. The outcome of those processes should then inform the creation of intrusion response and disaster recovery plans for the new organization.

Stronger, Not Weaker, Together

If the businesses involved in an M&A approach the task of IT integration in the right way, they should emerge from the process in a stronger position, cybersecurity-wise. Although there is plenty that can go wrong, an M&A scenario is one of the few times that a business gets to undertake a top-to-bottom review of its cybersecurity position. It is also an excellent opportunity to make targeted upgrades.

Business organizations navigating the M&A process do not have to go it alone. Outsource IT offers comprehensive project management services and can provide as much or as little support as a business requires. All it takes is a conversation with one of our knowledgeable account managers to get the process started. So, contact Outsource IT today and ask how we can help manage the cybersecurity concerns that come with the M&A process.