Taking security along on the M&A journey

Both acquisitions and de-mergers present companies with an opportunity to revisit their cyber security landscape.
Read time 3min 00sec
Sandro Bucchianeri
Sandro Bucchianeri

The impact of COVID-19 on the business world will force irreversible changes to business models and, in such situations, pursuing an inorganic growth strategy will be of prime importance, according to Deloitte.

To this end, merger and acquisition (M&A) activity is expected to increase in the second half of the year, particularly as companies that have come through the crisis in good shape look for opportunities to take over competitors or suppliers that may be struggling to survive.

In this context, it is useful to consider the potential benefits and risks cyber security presents amid M&A activity. Both acquisitions and de-mergers present companies with an opportunity to revisit their cyber security landscape. Separation from Barclays gave Absa the opportunity to build a converged security office from the ground up.

Companies can elect to either go with the same, or better, frameworks, but should view this is as an opportunity to improve their overall security posture. Cyber security should be used as an enablement of the business strategy.

In corporate mergers or de-mergers, it is critical to understand where the relevant entity’s data is located, to identify those who are authorised to access the data, and to assess the ways in which data is accessed. Vulnerabilities also need to be examined.

In merger and de-merger scenarios, it is important that cyber security has a seat at the table from the outset.

In the case of a horizontal merger (such as acquiring a competitor), this may be easier than in the case of a vertical merger (such as acquiring a supplier) because the threat landscapes may be substantially different.

Another key factor is understanding the breadth and depth of the work to be undertaken in a merger or de-merger − how many endpoints, workstations, servers and associated hardware points need to be taken into consideration. In the absence of knowledge of assets, the assets cannot be protected.

Once these factors are considered, companies have an opportunity to improve their overall cyber security environment, even if time and budget are limited. It all comes down to the risk appetite of the organisation.

Thanks to cloud technology, what would previously have taken years can now be done in mere weeks or days. Consider the complexity of having a server rack and associated kit installed at numerous sites. Choosing the appropriate cloud strategy means that implementation, regardless of geographic location, can be done quickly and efficiently.

In merger and de-merger scenarios, it is important that cyber security has a seat at the table from the outset.

The Marriott chain bought Starwood Hotels in 2018 and subsequently announced the Starwood guest reservation database − which reportedly contained up to 500 million accounts − had been compromised, with hacking potentially going on for several years.

If the aquiror had known about the breach – and if cyber security specialists had been consulted during the negotiations stage – there may have been a substantial discount to the acquisition value, and the breach may have been managed better subsequent to it having been discovered by the acquiror.

Cyber security is not just an IT issue that exists in a silo, it is an enterprise-wide risk that must be managed as such. It can and must provide business value and, as mentioned, can significantly enable the business to achieve its goals effectively and securely. 

Sandro Bucchianeri

Absa group chief security officer

Sandro Bucchianeri is Absa group chief security officer. He grew up in the Cape Flats and, unlike many children from that area, had the opportunity later to study and work abroad. He has worked in the UK and the US, and travelled to over 50 countries across the globe in his role as a security consultant before joining Absa in 2017.

Bucchianeri has more than two decades of experience in the field of security information protection. Previous roles include group chief security officer at National Bank of Abu Dhabi and chief information security officer at Investec PLC. Earlier, Bucchianeri was CSO and global head of consulting at Sysnet Global Solutions.

He is a keen supporter of new business ventures, and is passionate about making a contribution to uplifting communities. He led Absa’s efforts in establishing the Absa Cyber Security Academy – a partnership with Maharishi Institute.

Bucchianeri is a member of a number of boards, including the Payment Card Industry Security Standards Council advisory board, which also comprises representatives of Amazon, PayPal, Microsoft and Wal-Mart.

He has several international certifications in risk management and cyber security, in addition to a Masters Degree in Information Security from Royal Holloway University of London.

See also