Merging two companies can be a risky process. Compounding the problem, you and fellow stakeholders may only have a limited amount of time to conduct a thorough review, or could be under pressure to complete the merger more quickly than you’d prefer. You can reduce risk if both companies make sure to do a thorough review of the information security programs currently in place.
Before you commit to making an acquisition or merger, here are a few items to review ahead of time. Your aim is to get a good understanding of the business and its structure. Begin by looking at the following:
Type of Business
You wouldn’t have entered into a merger or acquisition without at least a modest awareness of the type of business that the other company is involved in. However, you may have some nagging questions to settle. For example, ask whether the merger will require you to diversify into a new business, as this will bring about more security issues that you may not have had to address prior to merger and acquisition talks.
As you form a union with the new company, you’ll have to find out what changes you must make to your current policies and procedures to accommodate the new members of your team.
Since you are in new territory, you should check whether the acquisition would involve more regulatory requirements. If this is the case, there will likely be other security issues to consider, such as the cost to audit your systems for compliance. You might need to bring in some seasoned information security professionals to consult with you during the merger, such as the professionals at Intrinium. It’s also possible that the target company’s information technology staff had been lax about security. This means that you would have to do research to see what steps must be taken immediately just to get into compliance.
Will the new locations be in the same country? If not, there may be cultural, regulatory or tax considerations for you to address. The sooner you determine that there are foreign laws, taxes or social norms in play, the sooner you can draft some “ambassadors” from your company to deal with all of the new information you have to absorb before doing business there.
International law can be quite tricky for a potentially multinational company like yours, but it’s a consideration that you must evaluate when getting ready to merge. Get started on this soon, since foreign regulations and requirements may take much more time to settle than you can imagine.
You never know what you might be getting into, especially during the early part of a potential merger or acquisition. In terms of security, you’ll need to know if the other company has a structured IT department. Furthermore, does the IT department leadership report to a Chief Information Officer? This may influence whether you continue with their CIO or if you will absorb their IT group or if they will absorb yours. It’s essential to learn whether the acquisition has Information Security personnel within IT.
You’ll need to determine how the information technology organization is currently structured. Merging the companies’ two cultures will depend on it. After you have an idea of how the target company organized itself, you will need to ask whether it is appropriate to centralize management of IT.
In some cases, it will make more sense to continue on with two IT setups. Often this will happen in companies that maintain facilities in more than one location—even though a lot of information technology security work can be conducted from remote, with no need for the technician to set foot on the premises or actually handle the computer equipment.
If you uncover issues with the current information technology department and need help addressing them, it’s often prudent to consult with security consulting professionals, such as the team at Intrinium.
Many businesses rely on consultants or contractors to fill gaps in their team. Discover how many of such individuals are now employed by the target. You might need to vet them or otherwise gain some assurance about their reliability and trustworthiness. Also, how good of a job are these contractors doing at protecting the security of the information they process?
Getting Ready for the Next Phase in Your Merger/Acquisition
You’re just in the beginning phase of the merger/acquisition process, but you have already uncovered a great deal of actionable information to consider. After reviewing the type of business and potential location of the new entity, you will use organizational charts to see the current state of the target’s information security management and team. Next, it will be time to check out all existing documentation and then conduct a full physical security review, which we will cover in the next two parts of this series.