There is an upswing in the number of mergers and acquisitions within the financial services sector, and industry metrics tell us this is a trend that is likely to continue. The financial services and credit union industries carry unique risks that may not be critical to other sectors, the most important of which arguably relates to information security. A credit union acquiring or merging with another organization with significant security risks may assume many of those risks once the merger or acquisition is complete.
Preparing for a Merger or Acquisition
Prior to an acquisition, the current management teams are responsible for their own risks. However, these teams must understand their responsibilities will change with the acquisition.
Crucial to whether the deal moves forward is a deep understanding of the risks – particularly cybersecurity-related ones – in the business being acquired. It has been standard procedure in the past to engage cybersecurity specialists later in the process. We now know the cybersecurity analysis should begin as early as possible in order to map out and understand areas of risk for both of the companies involved, with the merger and acquisition (M&A) team performing a thorough cybersecurity investigation.
A cybersecurity investigation will reveal an overall view of the target’s cyber status. It is important that the study include a perspective of People, Processes, and Technology, not just IT-centric issues.
Implementing Learnings from a Cyber Security Study
If completed properly, a cybersecurity study should determine whether the target has adequate or inadequate cyber protections. If significant gaps and risks are found, the team can assume there is a reasonable likelihood the target’s systems may have been or will soon be compromised. The vast importance of the study becomes apparent when taking into account that cyber risks are also business risks. For example, if the target is required to be PCI compliant and it is not, this may result in fines, costs associated with becoming certified, and the loss of the ability to process until the issue is rectified. These issues could wreak havoc on the business case.
Evaluating an organization’s cyber risk is never easy and clear cut, but without the necessary due diligence during a merger or acquisition, an unforeseen data breach could be devastating. The fallout from cyber attacks is costly, both in monetary terms and in the reputation of the business and its board members.
It is not just the risk taken on from the target company that needs to be considered. Connecting an existing network to one of a newly acquired but compromised organization can also introduce issues into a company that was once comprehensively protected. The new network may connect to third parties that have cybersecurity problems of their own. Missed risks can result in liability for loss of value or reputation damage and substantial cyber risks for the existing business.
The M&A cycle is an exciting time of growth and expansion for an organization. Proper and timely handling of risk issues ensures the process will continue to drive benefit and profitability for the organization as a whole.