 |
|
Security During the M&A Project Lifecycle
September 1, 2009
Security Considerations for Mergers & Acquisitions
By Mathieu Gorge, CEO, VigiTrust. |
2007 has seen a great number of mergers and acquisitions (M&A) in the IT market on a global basis. We have seen many organizations merging to either strengthen their offering and commercial channels or to be in batter position to address global competition. Similarly IT giants including Microsoft, Google and HP, went on an acquisition spree.
Whilst much of the focus was put on the financial elements of these deals, very little was said about processes put in place to vet the company that was being acquired or by which merging organizations vet one another. Such processes, know as due diligence, should really cover the security strategy of each entity: what security processes and policies are in place to protect the good name of the company, its employees and the data relating to its customers? What technical safeguards are in place to protect the extended network environments we operate in nowadays and will both environments be interoperable? Who are each entity's staff trained into security matters. In addition, the due diligence process should also consider security issued which could arise during the acquisition of merger process. Given that senior management attention will be focused on getting the deal signed, is it conceivable that the security guard might be dropped to a risky level? If so what are the best practices of the market to address and mitigate this potential, often overlooked, risk?
Understanding The M&A Stages:
It is important to clarify that the process of an M&A deal is a multi-step project. At the simplest level, it involves three stages.
Phase one courting
The first one can be summarized as the courting stage. During this stage an entity (or on some occasions a co-ordinated group of entities) is trying to acquire another third party. This acquisition is typically done amicably through a standard commercial process (this paper will not concentrate on hostile acquisitions and takeover). One party is simply trying to purchase the other parties portfolio of customers, sales channel, staff knowledge and IP. The courted party is trying to get the best financial deal for its shareholders. In the case of mergers, two competing organizations may decide to merge to strengthen their joint market position against the rest of their competitors or complimentary organizations may wish to merge to offer a more complete portfolio of services and/or solutions to their amalgamated customer base. In most cases this would be seen as a win/win situation where one party is gaining momentum (potentially both parties) and the other gets an exit for its main stakeholders, although typically both parties will agree to co-operate for a while before one potentially takes full control of the other. The courting stage is therefore very important because both parties have to carefully assess the other party's motives, financial strengths and commitment to the deal. We will see that there are significant security related risks during that phase.
Phase two
The second phase is where a deal has been discussed, typically agreed through some written arrangements subject to verifying a number of items, and where a formal process of due diligence is taking place. At a financial and legal level this will involve going through financial statements and bank accounts as well as the organization's share capital structure, employee contracts, contracts with suppliers, customer contracts, and IP strategy. During the due diligence phase, the company being acquired will be asked hundred of questions and will be asked to demonstrate that it is in line with its financial statements are accurate and its legal status is fully up to date.
Phase three
The next phase follows the successful completion of a due diligence process and is known as the post-deal stage. At this point, due diligence checks have been completed and the deal has been signed. Depending on whether we are dealing with a merger or an acquisition and depending on the nature of the deal, a number of situations could arise. One of the parties may be fully absorbed by the other one and have to follow its various operational, strategies policies and procedures covering finance, legals but also IT and security aspects. Another typical situation is where both parties agree to co-operate fully and try to take the best of each party's infrastructure to create new common strategies, procedures and policies, which impacts on IT and security as well. Alternatively there may be cases where each entity remains independent for a while and then integrates or interlinks its systems either fully or partially with the other party's infrastructure.
Security related risks linked to each phase of M & A Procedures
In order to qualify the risks associated with M&A and at the pre-deal, due diligence and post-deal stages, one needs to understand who the main actors of an M&A deal are so as to assess associated risks for the security of both entities.
Obviously CEOs and senior executives and managers for each party are involved in this type of deals. It is worth noting that a number of additional third parties are typically involved such as auditors (accountants), solicitors and advisors. This means that entities which are not employees of either party will be dealing with potentially highly sensitive information, which is obviously a major security risk, yet very often overlooked in M&A deals.
Going back to basics, all organisations are trying to align their security strategies with the CIA concept: Confidentiality, Integrity and Availability. However a simple look at the three stage process of M&A and at whom the various actors are should start raising alarm bells in terms of security, but does it really?
|
M&A Process Stage
|
Problem description
|
Associated risks
|
Risk severity
|
|
Pre-deal
|
1. M&A team members security awareness levels
2. M&A processes must be secured
3. Interest generated by the deal in the public domain
|
1. M&A actors must be made aware of the fact the information leakage at this stage could jeopardise the overall success of the deal. The reputation of each party is at stake and the good name of each entity must be protected or the deal could collapse
2. M&A documentation work must be kept confidential. Data relating to the pre-deal negotiation must be accessed on a need to know basis only and must be kept secure
3. The deal could potentially generate interest from unwanted parties who may wish to try and break it or may spread rumors tarnishing either or both parties. This is a PR related risk. Equally disgruntled employees may wish to jeopardize the deal form within and it is important that only the relevant internal staff be part of the M&A team and that information is kept confidential and its integrity is maintained
|
|
|
Due Diligence
|
A. The acquiring party may uncover IT security issues
B. Acquired party discovers that acquiring party has been the victim of a major security breach
C. Acquiring or acquired party proposes unsuitable new IT & IS structure
|
A. Uncovering vulnerabilities in IT security systems will make the acquiring party question the integrity of data supplied by the acquired party. Are the financial statements kept secret and could they have been tampered with? Are trade secrets safe?
B. the acquired party may equally have second thoughts on being acquired by a party victim of data theft and security incidents. Acquired organizations are looking for some comfort levels as regards the stability and future readiness from the acquiring party. Not being able to demonstrate compliance with basic CIA concept is equally damaging for both parties. Due diligence should be done both ways and therefore securing data and trade secrets is fundamental for both parties at this stage of the process
C. Should the proposed new joint infrastructure put forward by the acquiring party not be suitable in the eyes of the acquired party or vice versa, alarms bells as to the practicality and security of migrating to and using the proposed new structure may be questioned. It may also clash with the current company culture for either or both parties. For instance a very uncontrolled environment in terms of personal usage of email, internet and IM cannot really be changed to a fully controlled structure without prior internal awareness campaigns and the value add of security needs to be sold to all staff
|
|
|
Post-deal
|
i. Security is not included in the transition project plan
ii.Transition from two independent entities to merged environment is not done according to IS best practice
iii. IS is not fully incorporated in change management strategy
|
i. Security should be part of each step of the transition/integration/linking plan. However it is often not so as the priority is to ensure continuity of operations and faster merged status. This can result in security topics not being addressed or technical security issues not being looked into
ii. Should the transition from standalone IT structures to either integrated or interlinked structures not be completed according to best practice, then it is very likely that some vulnerabilities will emerge which could lead to potential internal and/or external hacking
iii, Change management is obviously very important in M&A processes throughout the project lifecycle. At a human level, IS needs to be part of that process and the new joint team need to be operating using the same security guidelines. Not incorporating security in the change management concept could result in a two-tiered organization for security thus resulting in an environment which is not fully protected and thus prone to attacks
|
|
*IS stands for information Security
This summary of key threats to the security of each party or that of the combined organization prior to, during and after the M&A is complete is by no means exhaustive. Additional threats to be considered include, for instance, the los
s of key IT and IS employees. Losing IT and IS employees prior the deal or at the due diligence process could mean that systems are left exposed at this crucial stage of the process. Any security incident may jeopardize the deal. In addition, when looking at key skills and key staff, the acquiring party might raise concerns over the loss of staff who know the systems very well because, in the short to mid-term, this will affect how systems are integrated together or interlinked.
Additional risks include the creation of new attack
vectors. Whereas company As structure might be extremely secure, linking it to a less secure structure would probably result in an overall structure much more prone to attacks especially during the transition period and immediately after because processes and procedures are not fully in place and staff may not be fully up to date with new security measures. In the meantime, systems could potentially be attacked and staff could be the victim of social engineering attacks. This type of attacks is based on maximizing on unstructured or restructured staff because staff members may or may not know one another, making conceivable for external parties to claim to the acquired organization they work for the acquiring organization and vice versa.
Best Practice Tips to maintain security levels for M&A projects
In order to ensure that M&A data, actors and processes are secure it is vital to take security into account at the very early stages of the process.
- Security Awareness for all M&A actors
The M&A internal teams for each party must be made aware of the risks associated with early disclosure of information relating to the deal. Leakage of information relating to the deal through loss of printed documents or electronic files help on memory keys, PDAs or lapt
ops is completely unacceptable and all staff involved in the deal should be made aware of the gravity of non-compliance with basic security rules given that any incident could result in a jeopardized deal. This also applies to third parties involved in the deal who should definitely be asked to sign procedures providing specific requirements for how they handle data related to the deal.
All staff involved should either receive specific additional security instructions or be given a refresher security awareness training session.
- All documentation relating to the M&A deal must be kept securely either in physical or electronic format and physical as well as logical access must be on a need to know basis and must be tracked
- A full PR strategy must be devised for communicating information relating to deal both internally within the organization and externally in the public domain so that information is made available to the relevant audiences at the right time using the appropriate channels. Again early disclosure of information could jeopardize the deal. Equally a PR strategy must be prepared in case security incidents take place pre-deal or at the due diligence stage. This should normally be part of a DR/BC plan but specific plans should be prepared for the duration of the lifecycle of the M&A process.
- When preparing the integration or links between the two IT structures, the combined entity should be mindful to maximize on the best solutions in place at both entities.
In order to do so it is best practice to have an external security organization conduct security audits of both infrastructures. From the results of these audits, a gap analysis document can be produced. This document is very likely to take the structure of a formal SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) of the combined software, hardware and procedures/policies inventory.
Such an analysis should also include a through mapping of each entity's key IT and IS skills. This allows the joint entity to identify single points of failure in terms of unique skills for specific mission critical systems used by each entity and also allows to start building a business continuity plan, whereby some skills which were unique within each separate entity are duplicated in the joint organization.
This can act a blueprint for IS staff to keep the best of each infrastructure and ideally standardize on best of breed solutions. It is also not uncommon to see organizations reuse some or all of the redundant security assets as a second line of defense.
This tactic allows organizations to maximize on previous investment in IT, IS and staff skills transfer. Using a third p
arty to perform this audit may be an additional cost however it can help confirm internal audits carried out by each party and has the merit of providing impartial advice.
- Given that each entity should have its own security team and a CSO, it is worth creating an interim security focus group during the pre-deal and due diligence stages after which a restructured security team under the heading of a single CSO must be put in place
Avoid the Usual Mistakes
- A number of usual mistakes have to be avoided at all cost during the M&A lifecycle so as to ensure that security leve4ls are maintained
-
- One should not assume that the security of the acquiring or larger organization in the case of a merger, is better than that of the acquired party the M&A process is an opportunity to take the best of both security strategies to create an even stronger and future proof security environment for the combined organization
- The transition from two working environments and cultures into a combined environment is a platform to design, deploy and maintain a new security culture within the new organization. This brings issues in terms of managing changes and dealing with new vectors of attacks and organizations should be prepared to handle these issues and take pre-emptive action.
- It is recommended not to create a major cultural change in one high impact announcement. Once it may be easier to manage at first, a phased approach incorporating security elements to ensure CIA is adhered to throughout the combined organization is a better long term strategy. Users are less likely to become disgruntled or to abuse the new structure and systems if they can s
ee a clear transition path and if the value add of the new infrastructure including the security solutions is sold to them. This can be achieved through security awareness campaigns including elements such as posters, e-learning and games.
- Where one or both entities are using outsourced IT and/or IS services, the combined organization should be mindful to streamline the number of suppliers so as not to end up with conflicting procedures, policies or even legal frameworks regimenting how data is processed, retained and discarded. A thorough analysis of supplier contracts and outsourcing frameworks should be done at the due diligence stage in order to avoid further issues.
- Whilst the legal aspect is typically quite well covered at the pre-deal and due diligence stages, the combined organization should be mindful not to end up with conflicting compliance requirements. For instance, for international M&A deals, data protection and/or retention legal frameworks may conflict especially if this is an M&A involving both US and European entities. Similarly industry compliance requirements imposed on one entity may be completely new to the acquiring organization. For instance an accountancy firm merging or acquiring a payment service provider may find itself responsible for completing the compliance project on behalf of the acquired entity in terms of compliance with PCI DSS (Payment Card Industry Data Security Standard). Organizations should be mindful to check industry requirements as well as local legislation applicable to entities
Conclusion
In conclusion, there are a number of key issues related to security which need to be taken into account right from the outset in M&A deals. Security related issues start arising at the pre-deal stage where it is crucial to maintain some level of secrecy and to protect the good names of both entities. At the due diligence process, a great number of potential security issues can happen which could also jeopardize the deal: new attack vectors, staff not prepared for social engineering attacks, systems not ready to be integrated or linked. However a pro-active security strategy will allow the combined post deal organization to maximize on the best practice security already in place within each pre-deal structure by identifying out of each organization and by integrating the most efficient and cost effective technical solutions, the most appropriate security procedures and strategies as well as implementing the most pro-active security awareness campaigns.
Whilst this is a major undertaking which requires taking into consideration change management, legal aspects and operational change, moving forward, the combined post M&A organization should have stronger, more secure
and reliable security than each of the pre-deal organization, all managed by a single CSO. Integrating security during the M&A lifecycle should be turned into an ROI engagement resulting in improved security levels for all involved.
|
