Mergers and acquisitions (M&A) have the potential to introduce significant cybersecurity risks for organizations. M&A teams are generally limited in size and focused on financials and business operations, with IT and cybersecurity taking a back seat early in the process, according to Doug Saylors, partner and co-lead of cybersecurity with global technology research and advisory firm ISG. “Assumptions about connecting networks, ‘rationalizing’ IT and cybersecurity platforms and staff are generally made with limited knowledge of the actual functions and work performed in each organization,” Saylor says.
A company merging, being acquired, or undergoing any other M&A activity must be able to evaluate security requirements that could affect the business strategy and risks of the future entity, according to a report on cybersecurity in the M&A and due diligence process from Gartner. “This results in an understanding of the state of security in the acquired company (to the extent possible pre-deal) to ensure that there are no rude shocks and in a plan for how to address the integration aspect safely and securely,” the report noted.