By Gene Fredriksen
Within the financial services sector, it is fair to say there is an upswing in the number of mergers and acquisitions, and industry metrics tell us this trend will continue in the coming years.
The financial services and credit union industries carry unique risks that may not be critical to other sectors. Arguably, the most important of these risks relates to information security. A credit union acquiring or merging with another organization with significant security risks may assume many of those risks once the merger or acquisition is complete.
How should you prepare for a merger or acquisition?
Prior to an acquisition, the current management teams are responsible for their own risks. However, these teams must understand their responsibilities will change with the acquisition. Crucial to a successful go or no-go decision is a deep understanding of the risks – particularly cyber security-related ones – in the business being acquired. In the past, it has been common practice to engage cyber security specialists later in the process. We now know the cyber security analysis needs to begin as early as possible to map out and understand areas of risk for both of the companies involved, with the merger and acquisition (M&A) team performing a thorough cyber security investigation.
A cyber security investigation will reveal an overall view of the target’s cyber status. It is important that the study include a perspective of People, Processes and Technology, not just IT-centric issues.
What can you learn from a cyber security study, and how can those learnings be implemented?
If completed properly, a cyber security study should determine whether the target has adequate or inadequate cyber protections. If significant gaps and risks are found, the team can assume there is a reasonable likelihood the target’s systems may have been or will soon be compromised. Taking into account that cyber risks are also business risks, the vast importance of the study becomes apparent. For example, if the target is required to be PCI compliant and it is not, this may result in fines, costs associated with becoming certified, and the loss of the ability to process until the issue is rectified. These issues could wreak havoc on the business case.
It's Never Easy, But...
Evaluating an organization’s cyber risk is never easy and clear cut, but without the necessary due diligence during a merger or acquisition an unforeseen data breach could be devastating. The fallout from cyber-attacks is costly, not only in monetary terms but also in the reputation of the business and its board members.
It is not just the risk taken on from the target company that needs to be considered. Connecting an existing network to one of a newly acquired but compromised organization can introduce issues into a company that was once comprehensively protected. The new network may connect to third parties that may have cyber security problems of their own. Missed risks can result in liability for loss of value or reputation damage and substantial cyber risks for the existing business. The M&A cycle is an exciting time of growth and expansion for an organization. Proper and timely handling of risk issues ensures the process will continue to drive benefit and profitability for the organization as a whole.
Gene Fredriksen is Chief Information Security Strategist at PSCU and responsible for several strategic functions primarily focused on relating PSCU’s perspective and stance on cyber security to existing clients, prospective clients, consultants and the industry as a whole. Gene has over 25 years of information technology experience, with the past 20 focused specifically in the area of information security.