IT Department and Security Considerations During a Merger
To enjoy a successful merger, be sure IT functions are properly addressed, updated, and secured.
- By Pradeep Khurana
- May 21, 2021
Due to COVID-19 restrictions, we saw a major decline in merger and acquisitions (M&A) activity last year. However, M&A activity will likely pick up again as restrictions on travel and in-person meetings subside. Smaller companies may be more open to an acquisition to take advantage of near-record high market valuations, and larger companies may ramp up M&A to gain market share and accelerate growth.
Mergers are often very high profile and exciting transactions, but for them to be successful, IT functions must be properly addressed, updated, and secured.
Planning a Secure Merger
When mergers happen, the full IT function should perform the due diligence necessary to ensure data security. Weak security results in theft of valuable intellectual property, trade secrets, business strategies, and personnel information. Not only are these damaging to the business, but data breaches can also impact the valuation of an acquired company and result in a reduced selling price, penalty fees, and lawsuits.
Detailed IT planning before closing the deal will help create a seamless transition. Steps to prepare for the merger and ensure security include:
- Threat evaluation. Identify the company's cyber risks based on industry, geography, partners, products, and services.
- Check hardware and software vulnerabilities. Take inventory, schedule patches, and review digital asset management, cloud services, mobile policies, application vulnerabilities, and data flows.
- Review data. Take a look at data privacy and security controls, including how they pertain to the acquisition; also, review contractual obligations.
Transitioning to a Stronger, Safer IT Department
Key elements of a successful IT transition during a merger include tech stack planning, security reviews, IT leadership planning, IT financial management, and IT strategic alignment. By considering these IT levers, the combined entity can have a secure IT strategy going forward.
Tech stack planning. When a company analyzes its business, it should regularly evaluate the technology infrastructure and strategy. During a merger, conducting this review is even more important. Initially there will be many duplicate systems, and it will take time to select and migrate the systems that will still be used. Many companies will rush to make changes which may result in less oversight, weak points, and poor system integration. It is crucial to allocate sufficient resources to create the best structure.
IT leadership planning. During a merger, roles and reporting structures tend to change. Staying aware of the human aspects can ensure morale stays high during the merger transition so IT department performance remains optimal. Management should clearly and fairly communicate new IT roles and policies.
IT financial management. Complex organizations can have dozens or even hundreds of IT software applications and systems. Companies face numerous overlaps during and after a merger. Software license agreements, network costs, various service agreements, and staff rationalization are all significant areas to gain efficiencies through volume discounts and consolidation. By using IT financial management tools, companies can track their IT spend and identify major cost-saving opportunities.
Security planning. Security breaches often occur during major business transitions. This can happen due to disgruntled employees, increased attention on the companies due to press coverage of the merger, employee distractions, and overwork -- as well as security gaps caused by changing processes. For example, with the merger, numerous new employees are added to the organization's charts, and many people are issued new logins and access to systems. Transitioning employees are unfamiliar with IT processes, and the helpdesk is bombarded by higher ticket volumes. All of this can increase the likelihood of a successful IT breach. It is crucial to remind the entire organization to stay vigilant about IT security before and during the merger.
IT strategy alignment. The last element is more strategic. The companies' leaders should ask what IT infrastructure and capabilities are required for the organization to succeed. With the merger, the business may have new product lines, new revenue models, and different office locations. They may also have very different policies for work from home or bring your own device, etc. Therefore, leadership should revisit and re-vision what is required for IT to enable success for the merged company.
Ongoing Security Improvement
Companies must continue to test and improve their security systems and protocols because, unfortunately, hackers also continue to evolve. Sometimes the first hack is just the beginning. Hackers might enter via a phishing attack and remove some information. They may then continue to monitor harmlessly, waiting for the right time to conduct a more dangerous theft of information or damage to systems.
An initial hack may also make the company more susceptible to future hacks if logins or passwords are leaked on the dark web. It is impossible to know exactly when one has prepared for hacks. Security leaders should continue to check off security items from their list and speak with other experts to improve their systems. The companies at greatest risk are those that are not thinking about security every day.
It can be helpful to hire third-party security consultants to perform regular security audits and penetration tests. Another set of eyes who knows the best practices can help you identify and close threat vectors. It is not inexpensive to hire these third parties, but it is much cheaper than the costs of a severe breach.
Mergers cannot overlook the importance of transitioning valuable IT data and systems to ensure due diligence and continued security. Successful mergers require coordination, planning, and hands-on execution.
Pradeep Khurana is managing director of ContinuServe, a global outsourcing firm, which helps corporations and private equity firms with their IT, finance, and carve-out needs.