In today’s competitive era, businesses all want to stand apart from the competition. Some businesses may provide a truly unique product or service, some may have a celebrity endorsement, and some may sport a memorable name. But as businesses become more successful, another option for further growth is in the arena of mergers and acquisitions.
According to Wikipedia, “Mergers and acquisitions (M&A) are both aspects of strategic management, corporate finance and management dealing with the buying, selling, dividing and combining of different companies and similar entities that can help an enterprise grow rapidly in its sector or location of origin, or a new field or new location, without creating a subsidiary, other child entity or using a joint venture. M&A can be defined as a type of restructuring in that they result in some entity reorganization with the aim to provide growth or positive value…From a legal point of view, a merger is a legal consolidation of two companies into one entity, whereas an acquisition occurs when one company takes over another and completely establishes itself as the new owner.”
While legal and accounting experts are part of all M&A deals, the expert that should always be part of the discussion and due diligence is the CISO (Chief Information Security Officer), or if a business does not have a designated security professional, that hole should be filled by someone with expertise in the information security arena.
During the due diligence process prior to a merger or acquisition, make sure that the business places a value on data security, information security, and data protection. Asking these questions may change your mind about moving forward with the merger or acquisition:
 Who is responsible for security?
 What protocols are in place to protect customer data?
 Have any data breaches happened?
 What were the protocols and timeframes for alerting customers, other stakeholders, and the media?
 What were the changes that were made following any data breaches? What were the lessons learned?
 If a breach were to happen during the due diligence phase, who will have financial responsibility?
 Are your computer systems compatible? If not, how soon can they be made compatible or identical? When two systems are joined together and are dissimilar, the potential for a breach is more likely due to the vulnerabilities created when two incompatible systems merge.
According to Scott Koller, lawyer at BakerHostetler, “The problem is that cybersecurity is not taken as seriously as it should be, or there is an under-appreciation of the risk. I think it is now on people’s radar, whereas before it may have been an afterthought.”
Unfortunately, according to Koller, too many people have a “check-box” mentality when it comes to information security. Does a business have a firewall? Check. Does a business use anti-virus protection? Check. Does a business back-up regularly? Check. Are there duplicate back-ups? Check. Then, however, the due diligence process moves on to another topic, instead of delving deeper into the information security areas of protection.
According to Ron Arden, vice president and CMO at Fasoo, “An acquirer need to understand the assets and liabilities it is acquiring, and look at adequate security as a business risk, just as leases, debt, and potential litigation are liabilities.”
So the next time you’re in the merger/acquisition market, be sure to include a thorough review of the information security risk before signing on the dotted line.
Image Credit: Stuart Miles via FreeDigitalPhotos.net
This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.