In the flurry of activity during a merger or acquisition, how does a financial institution ensure its sensitive data is protected?
Many financial firms have been confronted with this problem in the past year, as upheaval in the industry has led to a wave of consolidation. Blockbuster M&A deals in recent months include Wells Fargo & Co.'s acquisition of Wachovia Corp. and Bank of America's purchase of Merrill Lynch & Co.
Obviously, companies have a lot to deal with in a merger, but they can't lose sight of information security, especially in a time of industry turmoil, experts say. Whether it's the changing economic environment or the changing bank landscape, customers are worried, which makes security all the more critical, said Jacob Jegher, senior analyst in the banking group at Celent, a Boston-based financial research and consulting firm.
"One thing the banks must focus on is maintaining relationships and building trust or rebuilding trust when it comes to their customers, given how messy the financial services industry has been," he said. "If they don't pay attention to data security, which is a key component of maintaining relationships, they could have a real disaster on their hands. There's no shortage of banks out there. It's a competitive market and customers have to be with a bank they trust."
Making sure customer data and sensitive corporate information is secure during an M&A involves a number of steps, from prioritizing risks and policy alignment to locking down access controls and performing third-party reviews, experts said. Here are some top considerations when it comes to maintaining data security in a merger:
The human factor
In any merger or acquisition, people are the overriding factor and are far more important than technology, said Jonathan Gossels, president and chief executive at Sudbury, Mass-based security consulting firm SystemExperts.
"In every IT organization -- especially in these large financial institutions -- there are quality people. What's critical is that they be identified early," he said. "You need to identify that talent early on to make sure you retain it."
Too often in M&As, there's a perception that one company is the winner and the other is the loser, which is not healthy, Gossels said: "When the IT and security departments are viewed as the losers, in a short time the talent is gone."
Another consequence is that the company perceived as the winner makes erroneous assumptions about the other company's employees and IT systems, said John Calvin "Cal" Slemp, managing director of security and privacy solutions for Protiviti, a global consulting and internal audit firm.
"They assume everything is at the same level of maturity as they are, which most always is wrong," he said. "There also are lots of instances where what they're bringing in is much better."
The M&A process can be hindered by differences in corporate cultures, said Brad Johnson, vice president at SystemExperts. "Even in the same industry, every company has its own culture about the way it communicates and makes decisions. … They never reconcile those cultural differences or make it clear which culture is appropriate for moving on," he said.
Gossels says it's critical for financial institutions that are merging to take -- early on -- a team-building approach that retains the strength of each organization's practices. That often starts with an objective third-party review.
"It's not really an audit, but more of a team-building exercise," he said. "The point is to get the two security teams working together for a common goal and to build a coherent security strategy and road map."
This team-building approach needs senior management support to succeed, Gossels said. Without it, "you end up with partial progress and can linger in that partial state for years with people protecting their turf and the way they've always done things," he added.
Prioritization and policies
Financial institutions that are merging need to take stock of each company's security policies and perform a gap analysis, said Celent's Jegher. "It's really about standing back and asking, 'What are the biggest risks?' and tackling those in order or priority," he said.
For example, a bank that encrypts backup tapes before shipping them out might decide it's a priority that the bank it's acquiring change procedures to follow suit, he said. Synchronizing other procedures, such as how tapes are transported, might not be deemed a priority.
Security policy alignment is critical, said Nalneesh Gaur, principal and chief security architect at Chicago-based Diamond Management and Technology Consultants. In fact, it's an area financial institutions should examine during the due diligence phase before a merger or acquisition, he said. "The truth is many merging organizations rush into a relationship without understanding their information risks."
In a merger, organizations need to start by establishing a steering or oversight committee that establishes data protection policies for the new entity, said Steve Katz, founder and president of consulting firm Security Risk Solutions and former CISO at Citigroup Inc. "Data-centric security is what you want -- you want to protect the data regardless of where it is," he said.
In creating the new entity, it's critical that companies don't do anything that impacts customer trust, says Katz, who is widely regarded as the first CISO.
"You want to make sure you've done everything possible to let customers know their information is protected and will be carefully managed throughout the entire merger process," Katz said.
To that end, financial institutions should move quickly to educate employees about information security policies, Protiviti's Slemp advises. "Because you have a new population, it's important to say, 'Here's what's important to us and here's what's expected of you as an employee'.".
Access controls and the insider threat
Along with educating employees about security, organizations need to ensure they have strong access controls during an M&A. Employees are anxious about their jobs and disgruntled workers pose a risk to data security, making access controls critical, experts say.
"After a merger, there's probably a resource rationalization effort where some people are let go," Diamond's Gaur said. "This is a situation where someone could do something really malicious and more damage than the entire merger is worth."
Layoffs are routine in mergers and acquisitions, but organizations sometimes don't move very quickly on de-provisioning, Slemp said. His firm has worked with financial-services firms in the M&A mode to integrate their overall identity and access management systems by using a federated approach.
"It leverages whatever they're using but homogenizes it to allow the movement of applications … where a person is able to have the same rights to the new data in the new organization," Slemp said.
Financial-services firms are heavily regulated, making identity and access management all the more important, Gossels said.
"They need to be able to know who -- especially people with privileged access -- has access to what, rationalize why they have it, and be able to report on that at all times," he said.
Another step financial institutions can take to protect data from insiders is to be careful in how information is handled in testing during the conversion phase, said George Tubin, senior research director at TowerGroup, a financial research and advisory services firm based in Needham, Mass. While some banks will keep their systems separate, usually a merger leads to a process in which customer information and other data is converted to a common system. During this conversion process, there's a lot of testing done, some of it with actual sensitive customer data extracts, he explained.
"Make sure people are treating the data properly, and that you're only providing as much data as needed so you're not overexposing data," he said.
Organizations need to make sure employees and contractors aren't copying the data or sending it out, he added, or look into using technologies that mask data so employees aren't working with the real information.
For any sensitive corporate data, whether it's customer personal information or intellectual property, Katz recommends encryption controls be implemented to protect it in the event access controls fail.
Financial-services firms, like a lot of organizations, outsource a lot of functions to service providers. Some of those vendors handle personally identifiable information, notes Protiviti's Slemp. A bank merging with another bank needs to consider the security of not only the other institution, but its suppliers and vendors, he said.
"This subset tends to get overlooked," he said.
Indeed, organizations can overlook the network connections of business partners during an M&A, Gaur said. "It's very important to pay attention to what partners can now access given that you have a merged organization."
Companies should have a standard system for checking on the security of their vendors and business partners and conduct periodic assessments to know where the risks are, Guar added.
Slemp said the Shared Assessments Program can help financial institutions assess third-party security controls. Shared Assessments is a program of BITS, a division of The Financial Services Roundtable, and provides industry-developed tools that can streamline vendor management.
Oftentimes, the conversion process in an M&A is run on a tight schedule, but Tower Group's Tubin warns organizations not to speed through it too fast. "You need to make sure when you're rushing across that finish line that you're not cutting corners."
In a lot of cases, the financial institutions merging are products of previous mergers, SystemExperts' Gossels notes. Companies that take the time to get the merger process working properly have an opportunity to correct any problems resulting from those earlier "partially digested" mergers, he said.
"It's a long-term process and starting from the beginning by pointing collectively to the future without getting trapped into winners and losers is crucial," Gossels said. "It's hard enough to sort out when you have the talent who understands how it all works. It becomes impossible when the people who know how it works are gone."