Protecting data in a merger and acquisition

By Marcia Savage, Features Editor, Information Security magazine 14 Apr 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In the flurry of activity during a merger or acquisition, how does a financial institution ensure its sensitive data is protected?

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Many financial firms have been confronted with this problem in the past year, as upheaval in the industry has led to a wave of consolidation. Blockbuster M&A deals in recent months include Wells Fargo & Co.'s acquisition of Wachovia Corp. and Bank of America's purchase of Merrill Lynch & Co.

Obviously, companies have a lot to deal with in a merger, but they can't lose sight of information security, especially in a time of industry turmoil, experts say. Whether it's the changing economic environment or the changing bank landscape, customers are worried, which makes security all the more critical, said Jacob Jegher, senior analyst in the banking group at Celent, a Boston-based financial research and consulting firm.

Phishers thrive on bank M&As Bank mergers and takeovers can create confusion that cybercriminals will try to exploit, security experts warn. In fact, that's just what happened during the industry upheaval last fall. Researchers at security software supplier ESET saw phishing emails that tried to exploit the Wells Fargo and Wachovia merger and other consolidation in the industry, said Randy Abrams, director of technical education at ESET, which has a U.S. headquarters in San Diego, Calif. The scam messages tried to fool people by claiming that they needed to confirm their online banking credentials or input their personal details into a Web form. "When companies are merging, they need to be pretty quick on the draw," or the bad guys will exploit the situation, Abrams said. While it's difficult to protect every customer from falling for phishing scams, banks can proactively communicate with their customers as soon as possible during an M&A and let them know they won't ask for personal information via email, he said. "That has to be communicated through snail mail.". Another way financial institutions can protect themselves and their customers against phishing attacks is to register domains that are similar to theirs, Abrams said. Nalneesh Gaur, principal and chief security architect at Chicago-based Diamond Management and Technology Consultants, said a bank's reputation can take a hit during an M&A if phishers manage to steal a client's information. "This is the time that hackers are going after both organizations," he said. In the event of a data breach, it's important for financial firms that are merging to have integrated security operations so that they are ready with an incident response plan, Gaur said. "If an incident were to happen, who will be the one responsible?" he asked. "You don't want one side pointing fingers at the other side." ~ Marcia Savage

"One thing the banks must focus on is maintaining relationships and building trust or rebuilding trust when it comes to their customers, given how messy the financial services industry has been," he said. "If they don't pay attention to data security, which is a key component of maintaining relationships, they could have a real disaster on their hands. There's no shortage of banks out there. It's a competitive market and customers have to be with a bank they trust."

Making sure customer data and sensitive corporate information is secure during an M&A involves a number of steps, from prioritizing risks and policy alignment to locking down access controls and performing third-party reviews, experts said. Here are some top considerations when it comes to maintaining data security in a merger:

The human factor
In any merger or acquisition, people are the overriding factor and are far more important than technology, said Jonathan Gossels, president and chief executive at Sudbury, Mass-based security consulting firm SystemExperts.

"In every IT organization -- especially in these large financial institutions -- there are quality people. What's critical is that they be identified early," he said. "You need to identify that talent early on to make sure you retain it."

Too often in M&As, there's a perception that one company is the winner and the other is the loser, which is not healthy, Gossels said: "When the IT and security departments are viewed as the losers, in a short time the talent is gone."

Another consequence is that the company perceived as the winner makes erroneous assumptions about the other company's employees and IT systems, said John Calvin "Cal" Slemp, managing director of security and privacy solutions for Protiviti, a global consulting and internal audit firm.

"They assume everything is at the same level of maturity as they are, which most always is wrong," he said. "There also are lots of instances where what they're bringing in is much better."

The M&A process can be hindered by differences in corporate cultures, said Brad Johnson, vice president at SystemExperts. "Even in the same industry, every company has its own culture about the way it communicates and makes decisions. … They never reconcile those cultural differences or make it clear which culture is appropriate for moving on," he said.

Gossels says it's critical for financial institutions that are merging to take -- early on -- a team-building approach that retains the strength of each organization's practices. That often starts with an objective third-party review.

"It's not really an audit, but more of a team-building exercise," he said. "The point is to get the two security teams working together for a common goal and to build a coherent security strategy and road map."

This team-building approach needs senior management support to succeed, Gossels said. Without it, "you end up with partial progress and can linger in that partial state for years with people protecting their turf and the way they've always done things," he added.

Prioritization and policies
Financial institutions that are merging need to take stock of each company's security policies and perform a gap analysis, said Celent's Jegher. "It's really about standing back and asking, 'What are the biggest risks?' and tackling those in order or priority," he said.

For example, a bank that encrypts backup tapes before shipping them out might decide it's a priority that the bank it's acquiring change procedures to follow suit, he said. Synchronizing other procedures, such as how tapes are transported, might not be deemed a priority.

Security policy alignment is critical, said Nalneesh Gaur, principal and chief security architect at Chicago-based Diamond Management and Technology Consultants. In fact, it's an area financial institutions should examine during the due diligence phase before a merger or acquisition, he said. "The truth is many merging organizations rush into a relationship without understanding their information risks."

In a merger, organizations need to start by establishing a steering or oversight committee that establishes data protection policies for the new entity, said Steve Katz, founder and president of consulting firm Security Risk Solutions and former CISO at Citigroup Inc. "Data-centric security is what you want -- you want to protect the data regardless of where it is," he said.

Related information: How to 'discover' M&A security posture: If done improperly, an M&A can leave your financial company exposed. This tip offers a methodology for the acquiring company to ensure that doesn't happen. Global authentication policies made easy: The challenge of implementing global authentication policies can be alleviated. Joel Dubin lays out best practices for overcoming language, culture and architecture problems. Bank IT spending will grow only slightly: Risk will be the top concern for banks this year as they look to get more out of their risk management systems, research firm says.

In creating the new entity, it's critical that companies don't do anything that impacts customer trust, says Katz, who is widely regarded as the first CISO.

"You want to make sure you've done everything possible to let customers know their information is protected and will be carefully managed throughout the entire merger process," Katz said.

To that end, financial institutions should move quickly to educate employees about information security policies, Protiviti's Slemp advises. "Because you have a new population, it's important to say, 'Here's what's important to us and here's what's expected of you as an employee'.".

Access controls and the insider threat
Along with educating employees about security, organizations need to ensure they have strong access controls during an M&A. Employees are anxious about their jobs and disgruntled workers pose a risk to data security, making access controls critical, experts say.

"After a merger, there's probably a resource rationalization effort where some people are let go," Diamond's Gaur said. "This is a situation where someone could do something really malicious and more damage than the entire merger is worth."

Layoffs are routine in mergers and acquisitions, but organizations sometimes don't move very quickly on de-provisioning, Slemp said. His firm has worked with financial-services firms in the M&A mode to integrate their overall identity and access management systems by using a federated approach.

"It leverages whatever they're using but homogenizes it to allow the movement of applications … where a person is able to have the same rights to the new data in the new organization," Slemp said.

Financial-services firms are heavily regulated, making identity and access management all the more important, Gossels said.

"They need to be able to know who -- especially people with privileged access -- has access to what, rationalize why they have it, and be able to report on that at all times," he said.

Another step financial institutions can take to protect data from insiders is to be careful in how information is handled in testing during the conversion phase, said George Tubin, senior research director at TowerGroup, a financial research and advisory services firm based in Needham, Mass. While some banks will keep their systems separate, usually a merger leads to a process in which customer information and other data is converted to a common system. During this conversion process, there's a lot of testing done, some of it with actual sensitive customer data extracts, he explained.

"Make sure people are treating the data properly, and that you're only providing as much data as needed so you're not overexposing data," he said.

Organizations need to make sure employees and contractors aren't copying the data or sending it out, he added, or look into using technologies that mask data so employees aren't working with the real information.

For any sensitive corporate data, whether it's customer personal information or intellectual property, Katz recommends encryption controls be implemented to protect it in the event access controls fail.

Third-party oversight
Financial-services firms, like a lot of organizations, outsource a lot of functions to service providers. Some of those vendors handle personally identifiable information, notes Protiviti's Slemp. A bank merging with another bank needs to consider the security of not only the other institution, but its suppliers and vendors, he said.

"This subset tends to get overlooked," he said.

SearchSecurity radio:

Indeed, organizations can overlook the network connections of business partners during an M&A, Gaur said. "It's very important to pay attention to what partners can now access given that you have a merged organization."

Companies should have a standard system for checking on the security of their vendors and business partners and conduct periodic assessments to know where the risks are, Guar added.

Slemp said the Shared Assessments Program can help financial institutions assess third-party security controls. Shared Assessments is a program of BITS, a division of The Financial Services Roundtable, and provides industry-developed tools that can streamline vendor management.

Don't rush
Oftentimes, the conversion process in an M&A is run on a tight schedule, but Tower Group's Tubin warns organizations not to speed through it too fast. "You need to make sure when you're rushing across that finish line that you're not cutting corners."

In a lot of cases, the financial institutions merging are products of previous mergers, SystemExperts' Gossels notes. Companies that take the time to get the merger process working properly have an opportunity to correct any problems resulting from those earlier "partially digested" mergers, he said.

"It's a long-term process and starting from the beginning by pointing collectively to the future without getting trapped into winners and losers is crucial," Gossels said. "It's hard enough to sort out when you have the talent who understands how it all works. It becomes impossible when the people who know how it works are gone."

Tags: Data breaches and prevention strategies,  Data classification methods and guidelines,  Risk assessment and management in financial institutions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Data classification methods and guidelines How to secure data backup Download presentations from Financial Information Security Decisions 2009 Data governance and classification Data encryption: Pre-implementation best practices Data encryption: Q&A with Eric Leighninger Event data analysis By addressing data privacy, companies avoid public scrutiny How to classify security for enterprise file folders Encryption best practices Time to prepare for SAN security Risk assessment and management in financial institutions Don't forget the cleaning crew in your vendor management program Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary