'Inside Security' with Sundar Vincent (Ex-Sr. Principal Architect - IAM at JP Morgan Chase)

Blog
Interview
Leen Security
October 20, 2024

Over the past five years, M&A activity has surged, surpassing the total volume seen in the previous decade as companies seek to expand capabilities, enter new markets, or reduce competition. However, the complexity of these transactions has grown considerably due to the rapidly evolving cyber threat landscape, making security a critical component in deal evaluations and integrations.

In this edition of 'Inside Security', we will uncover the role of security in M&A transactions with Sundar Vincent (Ex-Sr. Principal Architect - Identity and Access Management at JP Morgan Chase).

M&A and Security are Becoming Inseparable

M&A deals come with significant risks, not just in terms of market impact, competition, and stakeholder interests, but also in terms of operational complexity. Technology is a key enabler in merging businesses and setting up a new operating model, but it also introduces a broad set of security challenges. A weak security posture can slow down the integration, introduce unforeseen vulnerabilities, and in extreme cases, even derail a deal entirely, making cybersecurity diligence a critical factor for successful acquisitions.

One notable example is the 2018 Marriott-Starwood acquisition. Marriott’s deal value dropped after it was revealed that Starwood’s systems had been compromised long before the acquisition, resulting in a major data breach that exposed millions of records. Similarly, in 2017, Verizon reduced its acquisition price of Yahoo by $350M after discovering two major security breaches during the evaluation phase​.

Security has become a critical factor that must be evaluated at every stage of the M&A process — before, during, and after the transition — to minimize risks and ensure a smooth integration. It’s not just about identifying technical vulnerabilities, but also understanding the security posture, potential liabilities, and data protection policies of the target company

Deloitte reports that over 60% of US dealmakers expect security to play an even larger role in M&A decisions as companies become more aware of security risks, such as data breaches and regulatory non-compliance, which can severely impact the value of a deal or even derail it altogether. This stat underscores the growing importance of security and risk assessments of the target company to avoid post-deal liabilities.

It’s no longer just an IT concern; it’s a core part of the business strategy that can make or break a deal. I’m seeing more acquirers bringing in independent experts to evaluate security during due diligence — it’s become a critical step in understanding risk and protecting the value of the acquisition.

Understanding The Role of Security in M&A

When acquiring a company, hidden security risks such as undetected malware or improperly managed access controls can lurk within the target’s company's infrastructure, posing serious threats to both the acquiring business and its extended network of partners and customers. Addressing these risks should be a top priority, as vulnerabilities in one area can quickly cascade through the broader organization if left unchecked.

Conducting comprehensive security assessments early in the due diligence process is crucial for protecting the operational integrity of both the acquiring and target companies, as well as minimizing risk across the broader supply chain. Overlooking these evaluations can lead to immediate and severe consequences –– unexpected costs, hefty regulatory fines, and reputational damage that can quickly surpass the value of the acquisition.

This becomes even more important for heavily-regulated industries, including financial, insurance and healthcare sectors.

M&A Attracts Attacks

It’s surprising (but also not surprising) but it's true that attacks often spike during and just after an M&A process. Why? There are a few reasons for that:

  1. Data: Data is everything in security! During due diligence, sensitive information about the target company’s financials, IP, and customer data is frequently exchanged and stored across multiple systems. This creates an opportunity for attackers to exploit gaps in security and gain access to valuable data.
  2. Negligence: With so much focus on financial and strategic evaluations, security can sometimes be overlooked, resulting in weaker controls and fragmented security practices that attackers can easily exploit.
  3. Operational disruption: The transition period during an acquisition is often chaotic. New systems are integrated, employees are shifted around, and access controls are reconfigured — all of which create new vulnerabilities that attackers can target.
  4. Lack of continuous monitoring: Companies might relax security practices during and just post an acquisition, assuming that any security threats are under control. This temporary oversight can lead to undetected attacks or breaches that are discovered only post-acquisition.
  5. Insider threats: Possibly something that is a threat all around, but employees facing uncertainty about their roles post-acquisition may pose an insider risk. Disgruntled staff or those fearing job loss can leak sensitive data or open doors for external attackers.

Security Due Diligence for M&A

As mentioned by Sundar, acquiring or buy-side companies often engage independent third parties to conduct a technical security assessment of their target company. This is done to provide an unbiased view of the target company's security posture. This helps ensure that any security risks and data privacy threats are identified, and the results are incorporated into the overall risk evaluation and valuation of the deal.

Let's quickly shed some light on the M&A process as identified by Sundar.

Pre-Acquisition:

  • Initial cyber risk assessment: Evaluate the target company's security posture and culture, identify existing vulnerabilities, and assess prior breaches.
The latter is very important as culture is essential because most involve human error. The extent to which employees and board members understand data security protocols is a strong indicator of a company’s overall security posture. If there’s a lack of awareness or practice at the senior or C-levels, it's a potential red flag and an indicator to dig deeper, which is never a good sign for the target company.
  • Define security standards: Establish minimum security expectations to mitigate risks early on
  • Negotiate terms: Use findings to negotiate purchase price adjustments and set warranties or representations for the seller​

During Acquisition:

  • Detailed security evaluation: Conduct in-depth technical assessments such as breach detection, attack surface mapping, and penetration testing to understand the real-time risk landscape
  • Integration planning: Develop a security integration strategy that aligns with the overall business goals and mitigates identified vulnerabilities​
The type of integration strategy chosen will dictate both the scope of work and the level of risk associated with the M&A. Understanding these specifics is crucial for crafting an effective risk management plan that addresses potential vulnerabilities and ensures a smooth transition.

Post-Acquisition:

  • Implement remediation plans: Address security gaps identified during due diligence, starting with high-priority risks
  • Continuous monitoring: Establish ongoing security monitoring and response strategies to protect the integrated entity
  • Regulatory compliance: Ensure compliance with data protection regulations and industry standards, particularly if the acquisition involves global entities
As the two companies transition into the post-acquisition phase, maintaining constant control and sight over security is crucial. Continuous, 24/7 monitoring is necessary to ensure the target firms security aligns with the acquiring company’s standards for data confidentiality and integrity. The CISOs or equivalent staff members must enforce consistent policies and procedures to integrate and uphold the security posture across both entities, preventing any gaps that could lead to vulnerabilities during this critical period.

Conclusion

The more comprehensive a company’s security due diligence is during an M&A, the better it can mitigate risks, protect critical assets, and ensure a smoother integration process. Proactively addressing potential security gaps early on sets the foundation for a more safe and successful transition.

We'd like to thank Sundar for his contribution and you can connect with him on LinkedIn.