Companies routinely conduct financial and technical due diligence before a merger or acquisition. With cyber security becoming an important business concern, information security due diligence needs to be added to that list with as much weight as more traditional business and general technical due diligences.
When organizations fail to conduct cyber due diligence, they jeopardize the merger, a situation Verizon and Yahoo apparently find themselves in. Last week a Verizon official said she was unsure about the telecommunication giant’s purchase of struggling Yahoo, which disclosed in 2016 that two separate data breaches had impacted more than 1 billion users. Verizon has already asked Yahoo for more favorable deal terms.
From complexity and from a risk perspective, mergers are definitely a case of one plus one is greater than two. The risk in the final entity is greater than the simple sum of the risk each one carries individually. Each company has its own IT systems, IT practices, cyber security policies and security risks. All of these respective points need to be identified and understood before a merger is finalized, and the new state post-merger also has to be understood. In a sense this is Metcalfe’s Law written large with a twist.
After figuring out what IT and security look like at each individual company, what form they’ll take in the new organization has to be figured out. Not answering these questions raises the prospect of the merged entity using a blend of technologies and information security practices, leading it to incur greater risk. If remediation, for example, is handled two different ways because each company followed different incident response plans, threats may never get fully resolved; and malicious operations that traverse the new combined IT shop will have more options for tactical exploitation.
The new business must have uniform IT and security footprints and must identify a finite period of time and a plan to get there. Countermeasures in the interim period might require special expense and investment to shore up risk. Any discrepancy between the two entities in the merged company can impact critical business functions since IT affects all parts of an organization. If a security issue prevents people from completing their jobs, revenue or customers could be lost. The acquisition’s success depends on any IT and security discrepancies being resolved long before a deal is reached.
Getting both organizations on the same IT and security page may require excluding information security staff from the quiet period that companies must engage in after filing paperwork with the Securities and Exchange Commission outlining the merger, and if the counsel and business folks working the deal don’t know that, chances are it security and risk folks went get engaged until too late. Information security personnel from both organizations may need to be walled off from their respective companies and permitted to talk about all things related to how they protect their business from attackers.
The importance of considering information security in mergers is well understood by security departments and the people who protect endpoints for a living. They can see how poor security can sour a deal. This message isn’t for them. The challenge is convincing others in the business, especially the people championing a given merger on why security matters to them. The captains of business who orchestrate merger and acquisition deals think in terms of bottom lines and quarterly revenues, not the benefits of proactive defense or real-time detection.
Planning cyber due diligence to get ahead of any potential information security surprises brought on by a merger goes beyond the role of the CISO in isolation and should be the responsibility of the CEO, COO, CIO and chief legal officer. Board members also have a role in this process, given that information security is now discussed in boardrooms. They should be asking executives if they’re planning on conducting cyber due diligence or if they’re willing to accept the risk that accompanies not factoring security into a merger.
In theory, the CISO should be involved in all discussions involving major initiatives, including whether to purchase another company. Too many times, though, boards still equate security with IT and don’t see CISOs as business leaders on par with other C-suite executives.
The new business reality is that security is critical to all parts of an organization. Including the expertise of the person who oversees information security isn’t too great of an ask when weighing the consequences of a strategic action. In the case of a merger or acquisition, omitting the CISO’s perspective could result in a scuttled deal or a corporate marriage rife with security problems and unnecessary risk.