Mergers and acquisitions (M&As) are a constant in the banking industry. In the past, when decision makers would consider the strategic goals of M&A activity, they normally focused on the business aspects of a deal; an upfront assessment of information security was not part of the equation. That has all changed.
Today, information security has become a critical part of the overall M&A process, both in participating in the assessments as well as enabling the M&A activity to operate securely. Businesses are beginning to understand that security audit findings can have a direct impact on the acquisition target's value to the acquiring company, such as branding, consumer confidence and industry reputation. Since operational security is now being considered in the overarching strategic planning, risk analysis and due diligence phase, the acquiring business will need to be able to measure security risks in such a way that their business can understand and act upon quickly.
M&A security framework
To cover the areas of security that are applicable and visible to the acquirer during the M&A process, I have devised a simple framework called D.I.S.C.O.V.E.R. The framework outlines the major steps that security professionals should follow in preparation of M&A activity. In addition, the framework enables the acquirer to remain focused on the business strategy while integrating the appropriate level of security through all phases of the M&A. The framework can be broken down into the following main components:
Define targets and objectives
By clearly defining the business goals and security objectives in the M&A process, non-value-add efforts can be minimized and a baseline can be established to determine the business appetite for security during the due diligence phase. Even if the business elects to exclude security from participating in the due diligence tasks, security will still be required to keep the organization's underlying M&A management process secure.
Initiate secure workflow
Once a potential acquisition target has been identified, a predefined workflow should be used to retain supporting documents and all related communications. Security should be applied to the workflow infrastructure to protect confidential information and control access to the data collected about the potential deal. The legal team should ensure that confidentiality agreements are understood and enforced during the early critical stages of the M&A process, both internally and externally, to prevent data leakage. Security assessments should be delivered to the audit team to include in their due diligence activity. A communication plan should be implemented to answer questions related to the M&A activity.
Secure process, data transfer and work areas
Make sure that file systems, storage locations, email and local documents are secured with the appropriate level of security controls. Ensure that the due diligence teams are isolated from normal internal traffic areas both physically and logically. Most organizations will have the need to transfer information during the M&A process, so make sure the organization can provide encrypted file transfers, especially if the M&A team is utilizing public networks or services such as email.
Collect assessment data
Once security assessments are returned, store them internally in a protected area and implement a quality-assurance step to actively scan for negative findings; this will help to clarify answers or identify gaps in the information provided by the acquisition target. Resolving knowledge gaps promptly provides tremendous value and can translate into leverage points that the business can use during the negotiation phase.
Observe the security processes and procedures
Specifically during the security due diligence phase, observe the active and currently documented security process and procedures that are in place at the acquisition target's organization. Key process areas to review include: communication, incident response, security awareness training, sourcing, legal engagement and internal audit assessments. In addition, review the contract structure and the master services agreement language for all third-party arrangements and business partnerships.
Verify security baseline and metrics
Make sure to audit for two key capabilities in the acquisition target's security assessment: test of design and test of effectiveness. Test of design is observing the policy/procedure documentation associated with the core process in question. Test of effectiveness is actually observing how the policy/procedure is being implemented by reviewing the results, reports and metrics.
Evaluate public reputation and issues
This activity can uncover many areas that can become leverage points for the M&A team during negotiations. Search public records, Internet search engines, and social networking sites and blogs to learn more about the perception of the company in question. Determine if the company has had any documented security breaches, internal fraud cases or been investigated by law enforcement or regulatory entities. Online forums and consumer complaint websites can provide a great deal of information that may be beyond what is obvious or readily apparent. These items will certainly provide value when communicated back to the core due diligence team.
Report risks (likelihood vs. impact)
Communication is the key to successfully perform M&A activity. For each finding that is observed or discovered, build a quick reporting structure to demonstrate the likelihood of the issue vs. impact the issue can have on the business. Properly formatting the issues into a risk matrix is critical in delivering the information in such a way that the business can understand and makes decision upon quickly.
By adopting the D.I.S.C.O.V.E.R framework, the security team will be prepared to make a positive contribution to any M&A activity, as well as keep the organization's underlying M&A management process secure.
About the author:
Rick Lawhorn, CISPP, CISA, CHSS, TNCP is the CISO at PLANIT Technology Group and previously was CISO for GE Financial Assurance and Genworth Financial. He has more than 17 years of experience in information technology and extensive security experience, and has created a working group focused on developing meaningful metrics for CISOs. He can be reached at firstname.lastname@example.org.
This was first published in April 2008