Managing a rising tide in post-merger cyber vulnerabilities
“In a series of blog posts, I will explore how industries and companies are tackling Digital Transformation and how integration plays a critical role in the program’s success. Below is part one on M&A Cyber Risks.”
Global mergers and acquisitions chalked up a resilient $678.5 billion in deal values in the first half of 2017, up nearly 9 percent from the same period last year. Mega-deals over $10 billion in value reached record heights and total deal values are at their best since the financial crisis reared in 2008. This is good news for dealmakers, of course.
Yet many M&A deals fail to live up to their promise. The landscape is littered with unsuccessful mergers and acquisitions, companies that didn’t heed obvious risks that, in retrospect, were avoidable. Rather, dealmakers focused on the benefits of the transaction, such as prospects for a larger market share, competitive advantages, reduced costs, increased efficiencies, and more diversified products and services.
Certainly, the risks must be given as much attention as the opportunities. A case in point is the threat of cyber attacks. Once a deal closes and the two companies begin to integrate their operations and systems, their cyber risks increase—dramatically in many cases. Indeed, the integration phase is when the “crown jewels” of both parties are most vulnerable to a cyber attack.
As the buyer and the seller commence the process of combining hundreds of systems and applications, their respective data at the intersection points of the transfer are exposed to an attack. The reason is the need to temporarily remove the filters at these endpoints so data can flow from one system to another. A gaping security hole is pried open, one that hackers can easily exploit.
Once inside the network, hackers can access sensitive, proprietary data about each entity’s operations, financial status, and future plans. This data can be leveraged to extort a ransom from the combined company—if it doesn’t pay up, the confidential information will be leaked to competitors and the public, damaging the reputation of the business and potentially derailing the merger’s hoped-for benefits.
Cyber threats abound across the M&A post-transaction integration terrain. It’s likely that each entity will have different IT policies, cyber security standards and controls, and different procedures with regard to how it collects, uses, transmits, stores, and shares personal information and other categories of data. These differences make it difficult to ensure proper steps are taken to integrate the companies’ systems and applications, increasing the combined organization’s vulnerability to a cyber attack.
A related threat is the possibility that employees from the company with weaker cyber security standards and controls may do risky things that the other company’s employees are explicitly forbidden to do—like open an attachment in an email that looks suspicious. Phishing attacks tend to increase during the systems integration phase of a merger or acquisition because hackers are aware that each party will be using its current email system until they’re integrated. Hackers realize that it’s difficult for an employee at former Company A to discern if an email with an attachment from a senior executive at former Company B is the real thing, making them more likely to click on an infected attachment.
Another post-transaction cyber risk is the cyber security standards of third party vendors. Often, the buyer will retain an IT consulting firm to assist the systems integration. Since the firm will be inside the corporate perimeter, it’s critical that its cyber security policies and procedures are top-notch. Otherwise, the firm can be an entry point for hackers to access both transacting parties’ data, as the massive breach of Target underscored. The entry point for the hackers was the retailer’s third party HVAC vendor.
Yet another risk has to do with the sheer number of IT systems and cloud applications in use by companies today, making the process of integration more complicated. These days it’s not uncommon for a company to have inked partnerships with more than a hundred different cloud providers. When two organizations combine, integrating all the applications, systems and other sources of data consumes an inordinate amount of time. It now takes longer for the combined organization to realize the perceived benefits of the transaction, increasing the opportunity for competitors to seize market share.
Obviously, there is a need for data integrations to occur quickly and seamlessly, minimizing the time in which the oceans of data flow from one system to another, from one application to another. Best practices include identifying all the data assets that need to be transferred first and then determining the specific data standards, policies, and processes that will be used to conduct the transfer. Rather than transferring all the data at once, consider a piecemeal approach in which different data sets are prioritized for transfer at different times. Data that isn’t destined for transfer should be immediately destroyed.
Lastly, invest in integration tools that make it fast and easy to connect applications and different sources of data. Legacy technology requiring teams of developers to handcraft integration software on an as-needed basis is no way to address today’s rapidly expanding universe of cloud applications. As the Internet of Things (IoT) takes off, integrating all the Big Data that will emerge requires a much faster solution.
Our mission at SnapLogic is to make it fast and easy for companies to integrate data and applications. On a single platform, users can rapidly connect diverse systems and applications at their vulnerable intersection points, narrowing the window of opportunity for hackers to attack. Data transfers flow at enterprise speed, accelerating the pace of post-transaction integrations. In turn, this assists dealmakers to realize the perceived value of the merger or acquisition at a much quicker rate—adding up to a rare win, win, win.