Evaluating Security Aspects of M&A Investment Deals

M&A activities can introduce a number of unexpected security risks to an organization and affect the overall value of an investment.  Acquiring or divesting intellectual property, people, or technology environments can expose corporate assets, bypass important security controls, and create situations of liability and regulatory non-compliance.  Additionally, unknown security incidents at an acquisition may require significant clean-up investment and dramatically reduce the value of acquired IP, thus undermining value of the prospective deal.

When acquiring another company, it can be a mystery what security problems you may inherit.  Are their systems riddled with malware, employees careless in security practices, has the IP been already been stolen, or is the network vulnerable to outsiders?  Connecting an acquired company’s assets, networks, processes, and people to a parent company can put in jeopardy the organization and quickly undermine an established security posture.

Experts believe examination of a company's IT security posture should be part of the due diligence process prior to investment or mergers and acquisition activity.

It is important to evaluate the technical and behavioral aspects with consistent and comprehensive rigor, so proper risk management and deal value decisions can be made.  Analysis results become a primer for the institution of any controls deemed necessary as the project progresses.

For a few years, I had the pleasure of leading the security program of Intel’s mergers, acquisitions, divestitures, site closures, and co-location projects.  I developed a training presentation for new security champions and to educate deal partners on risk areas.

I found M&A security work to be truly fascinating and challenging.  Typically, there are political, business, technical, and behavioral challenges to overcome.  In the end, proper diligence in managing the security of M&A projects is important to the determination of proper deal value and lays the framework for establishing necessary controls to protect the acquiring organization.

Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts

LinkedIn: http://linkedin.com/in/matthewrosenquist

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.