M&A activities can introduce a number of unexpected security risks to an organization and affect the overall value of an investment. Acquiring or divesting intellectual property, people, or technology environments can expose corporate assets, bypass important security controls, and create situations of liability and regulatory non-compliance. Additionally, unknown security incidents at an acquisition may require significant clean-up investment and dramatically reduce the value of acquired IP, thus undermining value of the prospective deal.
When acquiring another company, it can be a mystery what security problems you may inherit. Are their systems riddled with malware, employees careless in security practices, has the IP been already been stolen, or is the network vulnerable to outsiders? Connecting an acquired company’s assets, networks, processes, and people to a parent company can put in jeopardy the organization and quickly undermine an established security posture.
Experts believe examination of a company's IT security posture should be part of the due diligence process prior to investment or mergers and acquisition activity.
It is important to evaluate the technical and behavioral aspects with consistent and comprehensive rigor, so proper risk management and deal value decisions can be made. Analysis results become a primer for the institution of any controls deemed necessary as the project progresses.
For a few years, I had the pleasure of leading the security program of Intel’s mergers, acquisitions, divestitures, site closures, and co-location projects. I developed a training presentation for new security champions and to educate deal partners on risk areas.
I found M&A security work to be truly fascinating and challenging. Typically, there are political, business, technical, and behavioral challenges to overcome. In the end, proper diligence in managing the security of M&A projects is important to the determination of proper deal value and lays the framework for establishing necessary controls to protect the acquiring organization.
IT Peer Network: My Previous Posts