Key Considerations For IT Leaders During Mergers And Acquisitions

Merger and acquisition deals picked up the pace during the first half of this year, signaling a comeback from the prior year’s slower M&A market. 

Industries ranging from technology services and finance to retail and healthcare continue to join the deal-making. Expect more to come, as EY forecasts a 21% increase in the number of corporate deals of $100 million or more. 

However, companies often make a critical mistake while navigating the complexities of an M&A event. They focus their due diligence on the financial side, leaving IT infrastructure and cybersecurity at the bottom of the list. 

An already stressful time becomes even more high pressure when the technology and security teams are the last to know. Those teams must quickly determine how to integrate or migrate all the applications and services while maintaining a safe security posture throughout the acquisition or divestiture process.

To relieve that pressure, consider the following as part of your M&A due diligence and planning. 

Cybersecurity Due Diligence Can Make Or Break An M&A Deal

What an acquiring company learns about the to-be-acquired entity during due diligence can influence not only how they will plan and prepare for the acquisition but also whether to move forward. 

M&A due diligence should include:

Applications: Which applications do they have? Where are they located: an on-premise data center or in the cloud? Are they using SaaS-based applications? Will the acquiring company replace the acquired entity’s technology stack or integrate their existing? When must these applications be connected/communicating?  What’s being developed internally or externally? What does the software bill of materials look like and are there any concerns?

Architecture: What does the physical and logical architecture look like? Understand what software applications the company uses, including the cybersecurity toolset. Tool rationalization assessments are important here to understand the delta in the two organizations, overlaps, gaps, deficiencies and more.

Cybersecurity: Obtain visibility into the assets and technology that exist in the company you’re acquiring as quick as possible. For example, immediately deploying a CAASM tool can provide enriched information about what’s happening in that environment for all assets and their associated cybersecurity posture.

Data Security: What sensitive data and intellectual property are you acquiring? Ensure each remains protected and secured throughout the acquisition. A data visibility and risk assessment can show what data they have and potential security implications.  

Data Protection: If the two companies are using two different platforms for data protection, then consolidating and merging the backup policies may be necessary. How are they backing up their data, where are they backing up their data and at what frequency?  

Data Centers: Know where the physical locations are located, the cloud environments the company is in, and what operating systems and directory services they’re using. Also determine how they’re performing in areas such as identity management, governance, access and privilege management, and patching hygiene. Vulnerability assessments and penetration testing should be conducted.

Human Resources. Understand the roles, responsibilities, job descriptions, skills gaps, and efficiencies of the disparate organizational resources and consider what the merged structure would look like. A skills assessment might be needed to review the cybersecurity resources. Will the acquiring organization take on some or all of those resources? 

Monitoring and Observability: Visibility is key. Ensure your organization can properly and comprehensively observe the infrastructure, tools, applications and more. Is additional licensing, infrastructure, storage, etc… required?

Security Posture: Research the dark web and open-source intelligence to reveal past/ongoing breaches. Having that knowledge could potentially pause, cancel, or lower the cost of the acquisition and possibly place you under additional unnecessary liability

Partners / Agreements: What partners do they have? Do they use a managed service provider (MSP) or managed detection and response (MDR)? What contractual agreements do they have with their cybersecurity vendors? Can those be renegotiated, and what’s the contract schedules? 

Regulatory Compliance and Governance: What frameworks has the other company adopted, are they adhering to them? What do their policies, procedures, and guidelines look like? Are there any regulatory requirements that should be considered?   

Business Resiliency: Update Your Disaster Recovery And Business Continuity Plans

The merger of two companies brings in legacy systems, data that must be converted, and new groups of people that change the reporting structure. All those changes mean it’s time to update the combined company’s disaster recovery (DR) plans. 

Kevin Finch, Senior Business Continuity Architect at Sayers, says:

“Your Business Continuity and DR plans should all be examined (and updated).  The business processes your Business Impact Analysis (BIA) looks at might fundamentally change, people’s responsibilities are going to change, and the interconnectivity between systems is probably going to change.  All of that should be accounted for in your plans.  Additionally, you want to be sure you’re not leaving yourself vulnerable to a cyber incident while you’re assimilating and converting data — many companies enact lax security policies to help with data conversions during an acquisition, and hackers specifically look for that as a time to attack.”

M&A Tools and Assessments To Improve Efficiencies

A variety of M&A tools and assessments can reveal overlaps, gaps and deficiencies in the two companies’ IT and cybersecurity architecture and program. 

Streamlining redundancies after an M&A activity can improve efficiency and reduce costs. 

Ask Sayers about any of the following services:

• Business Continuity and Disaster Recovery plans
• Data Visibility Assessment
• Data Migration
• Data Storage Consolidation
• Cloud Security Assessment
• Microsoft 365 Consolidation
• Compute and Storage Assessment and Standardization
• Cybersecurity Risk and Vulnerability Assessment
• Identity Governance and Adminsitration
• Information Risk Register
• Migration Services 
• Recruiting Services
• License Audit
• Network Connectivity Assessment, Standardization, and Segmentation
• Security controls gap analysis
• Security Program Assessment
• Skills Assessment
• Third-Party Vendor Risk Management
• Tool and Platform Reconciliation

Use Case: A Healthcare System Turns To Sayers Managed Security Services During M&A Onboarding

The healthcare industry in particular has seen a high volume of mergers and acquisitions over the past few years. In this use case, a major hospital system in the U.S. has been active in buying and selling businesses such as hospitals and acute care facilities. 

Before onboarding, the acquired locations had operated as independent ecosystems with business-critical elements such as hosting servers, internet connections, data centers, firewalls, and remote access VPNs. Those require time and expertise to move and understand the intricacies of the various technology brands.

The hospital system turned to Sayers for managed network security services that would keep the legacy systems running without interruption until they ultimately are decommissioned.

Sayers MSSP service for the hospital system has included security vulnerability assessments, firewall migrations and management, firewall rule optimizations, proactive support monitoring, staff augmentation, architecture services, project management, network architecture, and technical account management.

Questions? Contact us at Sayers today to discover extensive technology solutions, services, and expertise to cover all areas of your business.