Maintaining information, IT and cyber security during a merger or acquisition

Dr. Jim Kennedy shares his personal experiences.

Providing a thorough and comprehensive information, IT, and cyber security management program is one of the most important things a global business organization can do for its shareholders, employees and customers. By doing so that company can reasonably insure that critical customer information, intellectual property, and financial assets are properly and adequately safeguarded. It indicates that management is providing the necessary due care. However, those companies that are preparing for or are in the midst of a corporate merger or acquisition (MoA) will be facing some formidable and distinctive information security challenges and opportunities.

Any company, anywhere on the globe could be one of the many industries that are part of the ever-increasing merger and acquisition world that we all live in today – especially with the world economic situation of late. Information, IT and cyber security departments may already be facing significant budgetary, technological, and political challenges as they navigate the M&A waters of pre to post merger or acquisition times.

The work of the information, IT and cyber security department often begins before the actual merger or acquisition has taken place. In the early stages of the negotiation, teams from the acquiring entity are dispatched to review and understand exactly how the other company operates and what technologies it utilizes. One member of this team should be from the security department. They should be reviewing the critical information assets of the firm to be acquired and how they are currently being secured. They will need to ensure that the technologies and infrastructure that store critical customer, financial, and legal data are properly protected and adequately backed-up. They will also need to understand all of the network ingress and egress points where data flows into and out of the organization so that each portal can be properly identified and protected, especially ports to third parties and the Internet.

I have been personally involved with several mergers and acquisitions over my thirty years in the information security and business continuity and disaster recovery field and I offer some suggestions for those who are about to be engaged or are already engaged in merger or acquisition information, IT and cyber security support:

Make sure there is adequate budget

Merger and acquisition work will definitely stretch any organizational budget and manpower utilization, and information, IT and cyber security is no exception. There are usually monies specially earmarked for the MoA activities. Make sure that there are enough monies in that budget to provide for all of the work required for both pre and post-MoA to evaluate, and integrate the current business continuity management program into the newly formed business. If business continuity staff are already overtaxed then figure in the costs to include outside consultants and IT experts, if necessary, to aid in the planning and developing of technical solutions.

Perform due diligence

Perform the due diligence before merger activity actually begins. Evaluate the information, IT and cyber security and the business continuity and disaster recovery policies, practices, and procedures of the firm to be acquired to determine how well formulated and documented its security program is. Find out results of recent testing efforts and establish how well trained the new company’s information, IT and cyber security team members are. Find out if the risk assessments and operational impact assessments are up-to-date and whether current security practices and controls are current and fit for purpose. Learn as much as possible about the business. Work closely with your information, IT and cyber security counterparts to determine, at a high level, what processes, systems, or locations are mission critical to the operation and learn how information, IT and cyber security controls and strategies are implemented in those areas. The more that you can learn about the new organization’s security programs the better prepared you will be in converging the two businesses planning and recovery efforts.

It has been my experience that the very first thing that the newly combined entity will want to do is to communicate verbally and via e-mail and to access critical databases of financial data, customer data, and manufacturing processes of both organizations in a unified fashion. Those systems should be quickly identified and reviewed, and business continuity managers should be a part of the implementation effort, to ensure proper security and continuity of services. Make sure that all maintenance agreements carry-over to the new entity and that all contracts concerning recovery of services, security systems, and data are maintained in effect post-MoA. I have seen where the two companies had the very same maintenance vendor. The maintenance contract that was in effect with the acquiring company was the one that the vendor honored when an incident occurred during a post-MoA event even though the other firm’s contract contained faster response and quicker repair times. So I recommend that all maintenance contracts, hot-site agreements, insurance policies, and vendor contracts are reviewed in the light of the MoA and meetings should be held with all vendors to make sure that all parties know exactly what to expect post-MoA in the case that something happens; and a contract or agreement needs to be executed. Any third-party security monitoring should be reviewed to ensure that no lapses of important security logging, review and oversight occur pre or post merger/acquisition.

If the company being acquired lacks adequate information, IT and cyber security practices something needs to be done immediately to protect both organzations as of Day One (the day the merger actually takes effect legally). Utilize the best information, IT and cyber security subject matter experts (SMEs) that you have to help to implement initial, short-term policies and practices, while identifying gaps and developing plans for post-MoA security work. If these SMEs are already taxed to their limits then bring in consultants to evaluate and validate the state of the information, IT and cyber security posture and to develop interim steps to shore up the environment until permanent policies, procedures, and technologies can be implemented. A company’s IT and information assets are most vulnerable during the transition or convergence phase of a merger or acquisition. This is a time when hackers or cyber criminals like to attack.

Make sure that third-party providers or business partners recovery objectives align with your new company’s

Review the information, IT and cyber security practices of critical third party providers or business partners of the company about to be merged with or acquired. Investigate to ensure that the recovery objectives of these third party providers and partners align with the business goals of the company you are about to merge with or acquire, as well as, your organization. If possible, obtain copies of recent audits, especially SAS 70 audits or external audits. Make sure that all security policies of your firm can be upheld if one of these entities suffers a security breach or incident. Conduct tests as soon as possible with these third party providers or partners to ensure that what is on paper matches reality. If there are severe issues with the confidentiality, integrity or availability capabilities of these third-parties it should be brought to the attention of senior management immediately as it could affect operations post-merger. Ensure that information, IT and cyber security objectives are consistent with SLAs and requirements of the newly formed business.

Anticipate failures and unplanned incidents

When joining the complex infrastructures of two business organizations together failures occur, errors are made (both by accident and sometimes on purpose by disgruntled employees), and technology is stretched to breaking points. It is imperative that initially a complete incident response and communication plan is in place and tested prior to day one of the merger or acquisition. This will allow the new organization to address problems even though it may utilize information, IT and cyber security plans developed pre-merger. Make sure that each organization’s information, IT and cyber security team is fully aware of what is expected of it pre-merger, during the first 90 days post-merger, and during full convergence of the two organizations. The more rapidly the two organizations’ teams begin to interact and share information the quicker the protection umbrella of information, IT and cyber security will be opened and available to protect the new business. Test the incident response to make sure that communications bridges, channels and call-out lists are current as of the date of the MoA. Also make sure that escalation procedures are current, in place and tested.

Merging of the two infrastructures, networks and IT organizations will take some time and will not happen overnight. In many cases it takes 90 days or more to fully integrate the data and voice networks, so make sure that any incident management and reporting system contains the following:

* A single individual in command of the incident or event,
* Rapid identification of extent of the incident,
* Escalation up both organizations’ operational management chains,
* Regular and timely communications to all organizations and business units affected until incident or event is handled, and
* Failure analysis investigation and report indicating what will be done to prevent incident or event from reoccurring.

The incident response plan must include regular updates to all business unit leaders in both organizations to make sure that they are apprised of what has happened, what is being done, and any estimated time to recovery. This allows them to provide necessary contingencies for their respective operations.

Begin post-merger or acquisition planning as soon as possible

Whether or not IT management is ready for a merger or acquisition, the business continuity organization must deal with two or more IT departments that are in a state of transition. Pre-MoA systems for the companies must be maintained and operated; users must continue to receive the same level of service as before the merger or acquisition. At the same time, many, if not all, of the major applications will probably need to be consolidated within a six- to eighteen-month window.

Post-merger a governance model should be established and a information, IT and cyber security steering committee should be organized and staffed by key subject matter experts from both of the joining business operations. They should review the policies and practices of the two companies and they should select the ‘best of the best.’ That is selecting the best practices from each entity and integrating it into the overall business continuity management framework of the new corporation.

The ‘Not invented here’ mentality, which often comes from the acquiring entities personnel, should not be tolerated. The author has seen firsthand that an entity being acquired actually had much superior policies, processes, and procedures in both the security and business continuity and disaster recovery areas to the company that was acquiring it. By putting egos aside and working towards the best practices I have seen the new company implement a far superior BC management program than any of its competitors.

Metrics should also be established to provide reporting to senior management on the progress towards the full integration of the information, IT and cyber security and business continuity management program. These metrics will provide information about the state of completion of risk assessments, operational impact analysis, and information, IT and cyber security and business continuity & disaster recovery plans for all critical systems and business entities after consolidation. It will also provide status reports on all testing that has been conducted and plans for any tests to be conducted according to policies.

Keep everyone informed

Lastly, the most important issue is communications. A clear understanding of the importance of an effective information, IT and cyber security and business continuity program from day one must be communicated by senior staff and re-iterated by the managers at each operating level. As each business unit is evaluated, and new information, IT and cyber security plans or solutions are put into place, the reason for their existence needs to be communicated to the employees to emphasise that the reason is to strengthen the organization and to protect it from unforeseen events. In addition, each member of the newly created business should train its recovery teams on their roles and responsibilities in the case an incident response, information, IT and cyber security or business continuity/disaster recovery plan needs to be activated.

About the author
Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV is the Business Continuity/Security Services Practice lead and a principal consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of an e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’. jtkennedy@alcatel-lucent.com

•Date: 13th Nov 2008• Region:US/World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here