Traditionally, IT security has never been a major part of the merger and acquisition process. But after a record year for M&As in 2015 and the prospect of even more activity to come, security is becoming more of a priority, especially at the board level. Because the M&A process often takes months to complete, a company’s sensitive information can be in the hands of counterparties and multiple third parties for an extremely long time. Paired with the frequently insufficient data security practices at many third parties, and smart hackers increasingly targeting valuable proprietary information, there is significant risk of data loss or exposure during the M&A process.
In order to protect companies and their data from deal origination to deal close, the following are some key ways to improve security:
Review Partners and Third Parties
Once data leaves your organization, the risk of compromise soars. For a typical transaction, at a minimum, you exchange data with your counterparty, a handful of law firms, and multiple investment banks and advisory firms. How many of those have you evaluated for their security capabilities? And even if you have evaluated your firms, what about those your counterparty brings to the table?
In 2010, Canada’s Finance Ministry, Treasury Board and seven Canadian law firms were breached as a result of their involvement in the $40 billion acquisition of Potash Corp by BHP Billiton Ltd. Information exchanged in the negotiations was worth tens of millions of dollars and extremely beneficial to outsiders. As it turns out, Chinese hackers were believed to be behind the attack in an effort to kill a large deal in the competitive market for potash, a key mineral ingredient in fertilizer. While the acquisition fell apart for unrelated reasons, it goes to show that smart, motivated bad actors know exactly where to zero in for key data and lax security.
While large banks can rely on sizable security teams and budgets, many law firms and smaller boutique advisory outfits cannot. A number of them have small IT teams and very few have dedicated security professionals.
Good security practice involves vetting the partners you entrust with your sensitive data. Have your security team review or survey partner security programs and, if they are not sufficient, find a more secure firm to handle your merger.
The good news is that you do not (and should not) have to wait for a M&A-related opportunity to do this. Get started now and vet the firms you already use. Many of them are probably expecting these types of requests, and many contracts should include the right to audit, so ask away. Firms will likely up their security game when faced with the possibility of losing millions in fees if they do not.
Involve Security Early
While there is a need to keep deal teams small, the CISO still should be involved in the process so that greater protections for critical assets can be put in place. The more your security team is involved, the more useful it can be in anticipating, detecting and eliminating threats to your organization and, in turn, the deal.
The security team should conduct a review of key systems that will be needed during the deal timeframe. They can establish baselines for normal activity and any anomalous behavior can be appropriately flagged for analysis.
The security team can also adjust priorities and fine-tune alerts for attacks against key assets. For example, financial systems are always critical, but during the deal period, attacks against these systems should be treated with a higher threat classification than normal. A certain type of malware on a particular financial asset may normally be classified as a Tier 2 incident, for example, but during the M&A period, it should be upgraded to Tier 1 by default. Additionally, if 10 failed logins to a critical system usually generate a notification to your security team, that number can be tuned down to three. Extra emphasis may be placed on key systems, such as adding additional controls or technology.
Monitor the Internet
Once a merger is announced, fake websites and social media accounts proliferate quickly. Work with your marketing, communication and security teams to lock down accounts and domains in advance that might be used against your post-deal entity to spread false information. Nothing could be more damaging than an imposter tweeting from a genuine-sounding account that the merger is off (affecting stock price) or that 40% of employees will be laid off (affecting employee morale and retention).
Domain and account registration can be used to signal to the market that a deal announcement is on the horizon, so make sure registrations are appropriately timed, handled and obfuscated to the maximum extent possible to prevent tipping off those monitoring for such registrations.
Make sure your existing social media accounts and various applications are also being appropriately protected and monitored for compromise in the aftermath of a deal announcement.
You may also want to monitor websites and social media for any information that could tip you off to pending attacks against the parties in your M&A process or leaks regarding your deal negotiations. Some hackers openly discuss their targets and crowdsource or purchase various attack resources from other hackers.
Review Counterparty Security
If you are on the acquiring side of a deal, you need to enter into an agreement with your eyes wide open to any potential security risks that may be present in the target firm. Have your counterparty’s security program, reports and other aspects vetted by your own security experts (and allow them the same courtesy, in the case of a merger).
Mergers and acquisitions are about the unification of two companies brought together with help from a variety of outside partners. All parties involved bring their own security risk and it is up to those involved with managing enterprise risk and security to make sure all stakeholders are protected from insider and outsider threats throughout the M&A process.