Baptistin Buchet
Baptistin Buchet

From people and organizations, to strategic alignment and governance, the complexity of M&As can be overwhelming. But more importantly, it can be a major security vulnerability for both companies coming together.

Today, the four biggest IT security risks in an M&A are:

  1. Security postures. When you bring two organizations together that have different approaches to securing data, there’s a significant chance that you will create gaps. Prior to executing an M&A, organizations have a unique security profile and most likely secure their data differently. As you bring them together, you might create security holes that can be manipulated, jeopardizing the entire process. That said, rule number one in M&As is to never sacrifice your security posture. You need to have tight controls over how the two companies come together and share their data every step of the way. Knowledgeable security architects from each organization should be at the table very early in the engagement.
  2. Data classification. It’s not uncommon for companies to classify their data differently, so establishing a common taxonomy of how data is regarded and classified is critical. For example, company A may classify its sensitive data as “classified/internal use only,” while company B may label those files “restricted.” These classifications are especially important in M&As because both companies need to ensure they apply the same controls to data in the same vertical. To make this possible, we have to understand both where the data exists and its significance, always ensuring that merging organizations arrive at a common method of classifying information.
  3. Security technologies. Technology can be a major risk as it determines the efficacy of your controls. In M&As, it’s common to find duplication, but also gaps. You should ask: What are the security capabilities of each organization? Does one organization possess a higher maturity in a specific security domain or domains? How do we bring these strengths together in the best way to ensure a robust and effective security program? Do both organizations have intrusion prevention systems? Do they have security incident and event management (SIEM)?Equally, methodology is just as important in M&As as the technology itself. Ask yourself: Do we apply similar controls to similar systems and information? What is our BC/DR/IR strategy for these systems? Do both organizations provide access to the environment in the same way? A thorough review is in order to ensure that you have the right capabilities and processes for the necessary controls.
  4. New risks. As two companies with different IT systems, capabilities and methodologies merge, new risks will arise that will require mitigation. This is especially important in compromise and compliance risk, as an M&A could open up one company to extra scrutiny due to regulations imposed on the other. A great example of this is PCI compliance—if the acquired company requires a PCI audit scope, the acquiring company not doing one could lead to a larger audit, and eventually, sanctions. A review of both organizations’ risk registers will be a good start, a thorough review with a holistic assessment is important.

Ultimately, it all comes down to priority.

IT leaders need to involve their security teams from day one and see to it that IT security is woven into every stage of the integration process. This means making sure each organization defines a process where they understand their risks and vulnerabilities, as well as the security controls at their disposal to mitigate them. 

Finally, re-evaluate and retest your controls every step of the way as the merger or acquisition progresses. Be prepared to make adjustments to ensure your security posture remains sound without creating new security headaches.

Download our M&A Playbook for IT to find out more about major integration challenges faced by IT leaders and a framework to handle them more effectively.

Read More

Baptistin Buchet
Head of Cybersecurity & Digital Trust

Baptistin Buchet leads the cybersecurity activities at the Wavestone US office in New York City. He graduated from EPITA, the premier graduate school of computer science and advanced technologies in France, majoring in systems, network, and security. Certified in both CISSP and CISM, Baptistin has, over the years, developed extensive expertise in risk management, security architecture, crisis management, and emerging technologies. He is also a frequent media and conference speaker and gives university lectures at New York University and other European-based schools.

6 Operational and Strategic Benefits of GenAI-Driven Tech Procurement

Nov 30, 2023

The procurement of technology services stands at a fascinating crossroads, with the introduction of generative AI marking a transformative shift in how organizations approach this critical function. Read our blog for 6 key operational and strategic capabilities enabled by GenAI-driven tech procurement.

Navigating Complex Procurement: 5 Challenges and Best Practices

Nov 23, 2023

Effective procurement drives efficiency, cost savings, and supply chain reliability, and comes with its fair share of complex challenges. Overcoming them requires a multifaceted approach integrating strategic thinking, innovative solutions, collaboration, and proactive risk management. Read our blog for a detailed examination of 5 major procurement challenges and top-line strategies for success.

Have a Question? Just Ask

Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone