Mergers and acquisitions can be ideal growth opportunities for companies looking to gain new technologies, increase their geographic footprint, cut costs or strengthen their management team.
But physically combining the information technology (IT) infrastructures of multiple companies involves risks that can put a company in the red if they are not acknowledged and mitigated during the convergence.
A merger or acquisition is one of the most vulnerable times for IT security. Company consolidations pose numerous internal and external risks to network infrastructure, intellectual property and personally identifiable information. Whether due to a malicious attack or an unintentional error, serious financial and legal consequences can occur from a security breach. This can cost the newly formed company its customers, employees and even vendors.
Prior to merging servers, networks and protected data, business owners need to establish a business continuity plan that will mitigate as many transition-related risks as possible. For example, network privileges should be reviewed to determine who has access to sensitive information and to prevent disgruntled employees from taking critical information out the door with them. If a merger is expected to make headlines, security should be ramped up to prevent external hackers from gaining access.
The first step in mitigating these and many other risks is to determine the approach each company takes to IT. Some companies may focus internally on IT to support the business with efficiency, while others focus externally on IT to drive the business with agility. If both parties have a consolidated view of IT strategy, the more secure the data migration and integration process will be. Once this view is established, business owners can move forward by adopting security standards, following proven IT privacy protection guidelines and establishing a risk management committee.
Adopt security standards
The International Organization for Standardization (ISO), based in Geneva, Switzerland, provides established IT security standards that can be used as a guideline for developing IT controls and policies, and installing security software, all of which are required to keep information secure. Security measures can be implemented by IT management or a third-party technology risk management consultant.
IT rules and guidelines also exist within industry and government compliance regulations, such as the Gramm-Leach-Bliley Act of 1999, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act. Merging companies are required to review these regulations to ensure they remain compliant after the acquiring company’s operational and financial structures change.
Map Generally Accepted Privacy Principles (GAPP) to security
GAPP was developed by the Assurance Services Executive Committee of the American Institute of Certified Public Accountants (AICPA), based in Durham, N.C., and the Assurance Services Development Board of the Canadian Institute of Chartered Accountants, based in Toronto, Ontario, to offer a global IT standard for addressing privacy issues.
The 10 principles of GAPP provide companies with a well-rounded approach to managing privacy during and after the merging process. Integrating the ISO information security requirements with GAPP is one of the best information governance safeguards for ensuring the integrity of a wide range of restricted information.
Develop an internal risk management committee
An internal risk management committee must be established if a company does not already employ a chief risk officer. The committee can consist of an internal group of employees or a third-party advisor to control the newly-implemented security policies and identify potential risks within the company.
An internal risk management committee also can aid executive management in obtaining confidentiality agreements from employees, aid the integration of custom applications with new technologies and serve as employer-employee liaisons during the centralization of systems.
Once the companies are combined, business owners can enhance a return on investment from a merger or acquisition, as well as better streamline business operations by conducting an IT audit and contract compliance review. A smooth IT convergence of multiple companies creates a secure, solid foundation for the new venture, ensuring that revenue, customers and value are created instead of lost.