As M&A Activity Surges, the Overlooked Threats to Information Security and Compliance Come to the Fore.
In the whirlwind of mergers and acquisitions (M&A), where ambitions clash with opportunities, the focus on risk assessment has traditionally circled financial and operational aspects. However, a rising tide of concern is now sweeping through the often-neglected realms of information security and compliance risks associated with M&A. The need to spotlight these latent threats has become more critical than ever.
The Surge in M&A Activity and its Pitfalls
The economic lull of 2020 led to a temporary decline in M&A activity, with businesses either shuttered or adapting to remote work dynamics. However, as the dust settled towards the year's end, a staggering 90% surge in mergers and acquisitions unfolded. Amid this resurgence, the narrative around M&A risk needs expansion, delving into the potential pitfalls within information security and compliance.
The Marriott-Starwood Cautionary Tale
Illustrating the dire consequences of neglecting cybersecurity during M&A, the Marriott-Starwood acquisition in 2015 serves as a cautionary tale. A cyber-attack in 2018 exposed over 200 million guest records, leading to an Information Commissioner’s Office (ICO) fine of almost £100 million. The ICO's verdict highlighted Marriott's failure in due diligence, emphasising the need for thorough security and compliance assessments throughout the M&A process.
The Cost of Oversight
The Marriott case underscores that overlooking security and compliance risks during M&A can be financially and reputationally catastrophic. Security and compliance due diligence, framed as an investment by acquiring organisations, becomes imperative to prevent such dire repercussions.
Mitigating Risks in the M&A Process
1. Pre M&A: Early Security Posture Assessment
- Conduct high-level security assessments of potential targets early in the M&A process.
- Review publicly available information on security breaches for preliminary insights.
2. During M&A: Diligence is Key
- Establish a data asset inventory to gauge the target's data volume, storage, and transfer methods.
- Conduct detailed security assessments aligned with industry standards (NIST, ISO 27001).
- Evaluate third-party risk management programs to ensure compliance and security in the supply chain.
3. Post M&A: Consolidation Challenges
- Address the consolidation challenge of security and compliance processes post-M&A.
- Decide between a "best of breed" or integrated approach for processes and technology.
- Prepare an integration plan in advance to ensure a smooth transition on day one.
The Holistic Approach to M&A
The importance of holistic due diligence before, during, and after the M&A process is vital. Recognising that this can be a complex and time-consuming endeavour, the potential fines associated with non-compliance to data protection legislation are deemed far costlier. M&A, when approached with comprehensive due diligence, not only unveils risks but offers opportunities to implement new processes and technologies that actively improve the risk posture of the newly formed organisation.
A message from our sponsors, The Ideas Distillery:
If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.
Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).
Comments