Security for Enterprise Transitions

mergers and acquisitions

Jon Espenschied, CISO

Mergers, acquisitions, material incidents, and exits

After going through several corporate mergers as a passenger or minor contributor, it was a privilege to be “on the inside of the room” for the first time, managing the process.  Being one of the directors of a merger or acquisition can be like snow control at a ski resort; once started the process can go in unpredictable directions without continuous monitoring, and the consequences can be orders of magnitude larger or smaller than initially anticipated.  Still, a little bit of prior diligence can give a large amount of control, or at least perspective and transparency to show what’s coming. 

The life cycle leading to mergers and acquisitions is fairly predictable and well understood. Many companies are formed with the idea of going big or becoming part of something bigger either by acquiring competitors and partners or by being acquired itself. For any organization with this vision there is a well-worn path from startup to full operations, from operations to maturity, and from a mature value to some kind of exit either by merger or acquisition. 

At its core, any kind of merger or acquisition is simple: each party should understand what they are selling or buying, and there should be a diligence process by which they assess the other’s assertions. Financial diligence in a sale is obvious, but the process doesn’t stop there. Assessments to support the deal should provide a functional review for any kind of service rendered, an infrastructure assessment for assets and technology, and an appropriate assessment of security and privacy for information assets and processes. 

“Due diligence” prior to an acquisition is the ideal, meaning that the thoroughness (“diligence”) of the review is appropriate (“due”) in line with value and risks. However, reality often differs; direct experience with a recent tech company acquisition revealed that only 45 days had elapsed between two CEOs meeting on a plane to the close of the deal.  The acquiring company had a process for evaluating and understanding what kind of risks and exposure they were buying, but accelerating the whole vetting process meant some issues — such as not understanding what it meant to buy a FedRAMP-certified service, and not having full controls in place to handle HIPAA requirements — were residual risks left to be handled later. 

Still, these are better situations than discovery and risk management after the close of an acquisition. Years ago, several of our staff experienced an acquisition where the acquiring company thought they were buying a consultancy with one software product when in fact there were two major product lines. Only after the acquisition did the parent company fully understand they now owned a well-known password cracking tool they perceived to be a liability nightmare. The ensuing legal firestorm within the company was not pleasant to say the least, and could have been avoided by a reasonable assessment of infrastructure and security. 

A rushed situation can occur even without people being sloppy in their business. A struggling organization might not have planned for acquisition, but find an offer as its last viable resort. Or one might find a competitor has quietly folded its operations, and have only days or a weekend for an opportunity to acquire its people and infrastructure before liquidation processes would take over. Continuity takes precedence, and a thorough vetting gets postponed until later if the executive team judges that the risk is worthwhile. In this case, consultants might be called in for a quick sanity check over the course of a few days, with a fuller assessment on the books post-close.

Other conditions arise, to be sure. In a large mutual merger, cross-organization assessment may be an involved process. In some cases, a well-planned long and slow merger may mean years of interim operations, for which an independent set of rules, policies, staff, and even leadership may be instituted. These are often given the mission of continuity over the transition, handling incidents that might not fit either organization’s capabilities, and dealing with unforeseen conditions and events. 

In each of these cases, a structured assessment is key to due diligence, and should answer relevant questions: 

  • Beyond the finances and function of the business, do their processes and technology reflect their information security policy directives? 
  • If they have certifications such as SOC-2 or FedRAMP, do they do what they say?  
  • Is there personal data from individuals in jurisdictions evoking GDPR and CCPA?
  • Is there an actual person assigned to direct an ISMS based on ISO27000 standards, or to assume the role of DPO to meet privacy regulations?   

Knowing enough to close the deal is critical, even if knowing every detail would be out-of-scope.  Often it is enough to review standing certifications and validate the top-line portions of a program, or perform a baseline assessment drawn from a neutral recognized security standard.  Other situations may call for in-depth risk review and thorough technical testing.  Most are somewhere between. Large or small, quick or thorough, an experienced consultancy can help choose the appropriate standards and metrics, and gather the information to make that call.  

CCPA – California Consumer Privacy Act
DPO – Data Privacy Officer (GDPR)
FedRAMP – Federal Risk & Authorization Mgmt Program (US)
GDPR – General Data Protection Regulation (EU)
HIPAA – Health Insurance Portability & Accountability Act 
ISMS – Information security management system (ISO)
ISO 27000 – ISO/IEC standards for information security
SOC-2 – System and Organization Controls 2 (AICPA)

Jon Espenschied, CISO

Mergers, acquisitions, material incidents, and exits

After going through several corporate mergers as a passenger or minor contributor, it was a privilege to be “on the inside of the room” for the first time, managing the process.  Being one of the directors of a merger or acquisition can be like snow control at a ski resort; once started the process can go in unpredictable directions without continuous monitoring, and the consequences can be orders of magnitude larger or smaller than initially anticipated.  Still, a little bit of prior diligence can give a large amount of control, or at least perspective and transparency to show what’s coming. 

The life cycle leading to mergers and acquisitions is fairly predictable and well understood. Many companies are formed with the idea of going big or becoming part of something bigger either by acquiring competitors and partners or by being acquired itself. For any organization with this vision there is a well-worn path from startup to full operations, from operations to maturity, and from a mature value to some kind of exit either by merger or acquisition. 

At its core, any kind of merger or acquisition is simple: each party should understand what they are selling or buying, and there should be a diligence process by which they assess the other’s assertions. Financial diligence in a sale is obvious, but the process doesn’t stop there. Assessments to support the deal should provide a functional review for any kind of service rendered, an infrastructure assessment for assets and technology, and an appropriate assessment of security and privacy for information assets and processes. 

“Due diligence” prior to an acquisition is the ideal, meaning that the thoroughness (“diligence”) of the review is appropriate (“due”) in line with value and risks. However, reality often differs; direct experience with a recent tech company acquisition revealed that only 45 days had elapsed between two CEOs meeting on a plane to the close of the deal.  The acquiring company had a process for evaluating and understanding what kind of risks and exposure they were buying, but accelerating the whole vetting process meant some issues -- such as not understanding what it meant to buy a FedRAMP-certified service, and not having full controls in place to handle HIPAA requirements -- were residual risks left to be handled later. 

Still, these are better situations than discovery and risk management after the close of an acquisition. Years ago, several of our staff experienced an acquisition where the acquiring company thought they were buying a consultancy with one software product when in fact there were two major product lines. Only after the acquisition did the parent company fully understand they now owned a well-known password cracking tool they perceived to be a liability nightmare. The ensuing legal firestorm within the company was not pleasant to say the least, and could have been avoided by a reasonable assessment of infrastructure and security. 

A rushed situation can occur even without people being sloppy in their business. A struggling organization might not have planned for acquisition, but find an offer as its last viable resort. Or one might find a competitor has quietly folded its operations, and have only days or a weekend for an opportunity to acquire its people and infrastructure before liquidation processes would take over. Continuity takes precedence, and a thorough vetting gets postponed until later if the executive team judges that the risk is worthwhile. In this case, consultants might be called in for a quick sanity check over the course of a few days, with a fuller assessment on the books post-close.

Other conditions arise, to be sure. In a large mutual merger, cross-organization assessment may be an involved process. In some cases, a well-planned long and slow merger may mean years of interim operations, for which an independent set of rules, policies, staff, and even leadership may be instituted. These are often given the mission of continuity over the transition, handling incidents that might not fit either organization’s capabilities, and dealing with unforeseen conditions and events. 

In each of these cases, a structured assessment is key to due diligence, and should answer relevant questions: 

  • Beyond the finances and function of the business, do their processes and technology reflect their information security policy directives? 
  • If they have certifications such as SOC-2 or FedRAMP, do they do what they say?  
  • Is there personal data from individuals in jurisdictions evoking GDPR and CCPA?
  • Is there an actual person assigned to direct an ISMS based on ISO27000 standards, or to assume the role of DPO to meet privacy regulations?   

Knowing enough to close the deal is critical, even if knowing every detail would be out-of-scope.  Often it is enough to review standing certifications and validate the top-line portions of a program, or perform a baseline assessment drawn from a neutral recognized security standard.  Other situations may call for in-depth risk review and thorough technical testing.  Most are somewhere between. Large or small, quick or thorough, an experienced consultancy can help choose the appropriate standards and metrics, and gather the information to make that call.  

CCPA - California Consumer Privacy Act
DPO - Data Privacy Officer (GDPR)
FedRAMP - Federal Risk & Authorization Mgmt Program (US)
GDPR - General Data Protection Regulation (EU)
HIPAA - Health Insurance Portability & Accountability Act 
ISMS - Information security management system (ISO)
ISO 27000 - ISO/IEC standards for information security
SOC-2 - System and Organization Controls 2 (AICPA)