Taking security along on the M&A journey

Both acquisitions and de-mergers present companies with an opportunity to revisit their cyber security landscape.
Read time 3min 00sec
Sandro Bucchianeri
Sandro Bucchianeri

The impact of COVID-19 on the business world will force irreversible changes to business models and, in such situations, pursuing an inorganic growth strategy will be of prime importance, according to Deloitte.

To this end, merger and acquisition (M&A) activity is expected to increase in the second half of the year, particularly as companies that have come through the crisis in good shape look for opportunities to take over competitors or suppliers that may be struggling to survive.

In this context, it is useful to consider the potential benefits and risks cyber security presents amid M&A activity. Both acquisitions and de-mergers present companies with an opportunity to revisit their cyber security landscape. Separation from Barclays gave Absa the opportunity to build a converged security office from the ground up.

Companies can elect to either go with the same, or better, frameworks, but should view this is as an opportunity to improve their overall security posture. Cyber security should be used as an enablement of the business strategy.

In corporate mergers or de-mergers, it is critical to understand where the relevant entity’s data is located, to identify those who are authorised to access the data, and to assess the ways in which data is accessed. Vulnerabilities also need to be examined.

In merger and de-merger scenarios, it is important that cyber security has a seat at the table from the outset.

In the case of a horizontal merger (such as acquiring a competitor), this may be easier than in the case of a vertical merger (such as acquiring a supplier) because the threat landscapes may be substantially different.

Another key factor is understanding the breadth and depth of the work to be undertaken in a merger or de-merger − how many endpoints, workstations, servers and associated hardware points need to be taken into consideration. In the absence of knowledge of assets, the assets cannot be protected.

Once these factors are considered, companies have an opportunity to improve their overall cyber security environment, even if time and budget are limited. It all comes down to the risk appetite of the organisation.

Thanks to cloud technology, what would previously have taken years can now be done in mere weeks or days. Consider the complexity of having a server rack and associated kit installed at numerous sites. Choosing the appropriate cloud strategy means that implementation, regardless of geographic location, can be done quickly and efficiently.

In merger and de-merger scenarios, it is important that cyber security has a seat at the table from the outset.

The Marriott chain bought Starwood Hotels in 2018 and subsequently announced the Starwood guest reservation database − which reportedly contained up to 500 million accounts − had been compromised, with hacking potentially going on for several years.

If the aquiror had known about the breach – and if cyber security specialists had been consulted during the negotiations stage – there may have been a substantial discount to the acquisition value, and the breach may have been managed better subsequent to it having been discovered by the acquiror.

Cyber security is not just an IT issue that exists in a silo, it is an enterprise-wide risk that must be managed as such. It can and must provide business value and, as mentioned, can significantly enable the business to achieve its goals effectively and securely. 

Sandro Bucchianeri

Absa group chief security officer

Sandro Bucchianeri is a senior security executive who holds two information security focused certifications (CISSP and CISM), as well as an MSc in Information Security from the prestigious Royal Holloway University of London. He has over two decades of security (information/cyber/physical) experience in both consulting and CISO/CSO roles. In these positions, he has worked with large enterprises and global, multi-cultural organisations, where he managed teams and programmes globally in the implementation of major initiatives relating to governance, risk and compliance, architecture and strategy. Bucchianeri has a strong background in security and is able to blend his strong technical ability with business requirements. He is also viewed as a trusted advisor for many of his global clients across the various industries in which he has worked. His energy and highly effective communication ability with board and C-level stakeholders, and his relationship management skills, coupled with his passion for security and technology, have been key to his success.

Login with