By Braun Jones, Partner, WWC Capital, LLC
When two companies combine, one of the most critical keys to success is a successfully executed integration. Regardless of how similar the two companies are when the deal is consummated, it is a complex and challenging process to maximize results of the union.
One item that is sometimes ignored or forgotten during a merger process is information security. Now more than ever and increasingly in the future, IT is a critical component in virtually all companies. During the early phases of a deal, decisions are made on how to bring two IT environments together to promote successful business integration and increase overall corporate efficiency and productivity moving forward. From a security perspective, the posture of each organization can be greatly disrupted during a merger and these changes can cause confusion around long-established business processes and result in the introduction of new risks and vulnerabilities to the overall organization and IT infrastructure.
Recently, I read an article in GovInfoSecurity that highlighted the unique challenges faced by CSOs during the M&A process. As we all know, companies have different security practices. Some companies are willing to take more risks when it comes to security or simply do not know what risks they face. Other companies are more risk averse and more knowledgeable. So, when companies of differing opinions and capabilities come together, it is necessary to quickly find common ground.
The article provided six tips for managing security issues during the deal:
- Plan and get involved: Develop a solid plan and roadmap of critical data elements holding high-risk implications, including customer account information, social security numbers, employee and customer records and proprietary information. This will produce a data management plan that can be vetted by all parties. The privacy officer must further understand who the key entities are on each side with oversight and control of information.
- Streamline the process: Establish a simplified process to know what critical data elements are there, what regulations are effective and play an active role on the acquiree side, what type of security and IT controls they have and chalk out details on how the data needs to migrate.
- Constantly communicate: Establish a constant flow of communication on both sides regarding questions such as: Who will manage the data? Who is responsible for which data on each side? How is the control structure and impact of regulations on both sides with respect to data privacy? Who will participate in data conversions, testing and dry runs? Who is responsible for communicating with customers on what’s happening?
- Understand the infrastructure: Develop an understanding of the technical controls environment of the acquiree or the merging organization to know where the gaps are with respect to data privacy.
- Understand the legal aspects: Focus on what the privacy policies are on both sides. Look into details of privacy notices handed out to clients. And understand the commitments made to customers.
- Educate: Schedule training and awareness programs for employees and customers of the organization. From a customer’s perspective, privacy officers need to address what’s happening to their account information. How soon can they access their online accounts? When are data conversions taking place? What measures is the company taking to protect their information? All parties need to be educated on new functions and information disclosure procedures to avoid being the target of phishing scams and other fraudulent activities.
IT and cyber security are increasingly critical to the enterprise and should not be an afterthought during the M&A process. What tips would you include on this list? Drop us a comment and let us know.