Beware the hacker threat: How to keep calm and carry on during an M&A
6 min read
14 December 2016
In June 2015, security regulators investigated a group of hackers known as FIN4. They were suspected of breaking into corporate email accounts of 100 listed companies and stealing information in relation to mergers for financial gain – here's how to keep calm and carry on during your own M&A.
Starwood Group, an American hotel and leisure company, was the victim of a data breach in 2015 caused by malware infected point-of-sale terminals, shortly after its acquisition by Marriott Corporation was announced. As a result of the breach, hackers gained access to customer names, payment card numbers, security codes and expiration dates. It was later questioned whether IT systems were appropriately assessed before the acquisition became public knowledge – so here’s a few tips on how to ensure you keep calm and carry on.
There is so much going on in the process of an acquisition or merger that IT systems are often neglected. This creates vulnerabilities, potentially exposing sensitive information which cyber criminals can exploit. IT teams must focus their attention on ensuring the security of existing systems before a company even considers undergoing an acquisition or merger.
Keep calm and carry on: Pre-acquisition technical due diligence
Technical due diligence refers to the period during which IT systems are inspected, reviewed and assessed for areas of vulnerability that need to be addressed. Firms looking to be acquired or merge should begin a process of technical due diligence internally before seeking interested parties. The company being acquired can then be satisfied its systems are robust, secure and fit for purpose, and the acquirer’s due diligence will not expose any issues that may jeopardise the deal.
In addition to the security vulnerabilities, many organisations carry open-source licensing risks. Open-source modules or snippets of code commonly incorporated by developers into software to aid rapid development. Although this code is freely downloadable, it is normally subject to an open-source licence, and this licence places restrictions and obligations on what can be done with thecode. Companies often have no idea what open-source code is used for in systems and any breach of licensing restrictions can be costly to fix and endanger the deal. So the internal technical due diligence should include an assessment of open-source licensing risk, allowing the company to resolve any problems in advance.
By conducting such due diligence, firms can not only keep calm and carry on, but have a greater appeal to interested parties as well. This ensures the deal proceeds smoothly. Those looking to acquire will have a clearer understanding of the technical assets for sale, with the added reassurance there won’t be any unpleasant surprises. Yahoo! recently felt the ramifications of neglecting this in anticipation of the Verizon acquisition – it was revealed that 500m customer email accounts were hacked. Verizon later stated that the company is looking to alter the terms of the deal, as it felt Yahoo! wasn’t transparent about the breach.[rb_inline_related]
Keep calm and carry on: Pre-implementation hurdles
Once an acquisition has been agreed in principle, senior stakeholders must address which systems are being continued and which should be decommissioned. A skilled project manager must be chosen to manage and monitor the implementation of the systems; ensuring decisions impacting the seamless integration of the acquisition are made on time.
Companies often underestimate the amount of work that goes into managing the process of an acquisition. This can result in the appointment of a project manager without the necessary skills needed to efficiently run the entire process. All too often it is assumed acquisitions only affect the financial and legal teams, when in reality it affects every department. An individual is needed with the skills to communicate across all departments and at all levels.
Keep calm and carry on: Post-acquisition finishing touches
The sale is agreed and personnel have merged, but it doesn’t stop there. Post-acquisition integration is a separate project in its own right and requires close engagement from senior stakeholders. Merging IT systems across companies can affect the smooth running of daily operations, exposing flaws in acquired systems likely to cause system downtime. By bringing third-party experts on-board, companies facing both pre- and post-acquisition challenges can be kept safe in the knowledge that IT systems are maintained and sensitive data is kept safe.
No matter how big or small the company or the number of employees, acquisitions are always a major upheaval. In order to allow the organisation to continue to operate efficiently both during and after the deal, it is vital the entire integration is properly planned and effectively executed. This planning starts during due diligence by carrying out a thorough assessment of the technology and systems. And the process continues with the execution of the integration project, which requires a skilled project manager supported by engaged stakeholders and effective communication at all levels in the new organisation.
Nick Pointon is head of M&A at SQS