With the pandemic causing economic uncertainty, it has been a “head-scratchingly prolific year” for mergers and acquisitions (M&A) (and associated merger and acquisitions risks!). As organizations combine, what factors determine the success of a merger or acquisition?
Ensuring all parties (owners, shareholders, employees and customers) understand the vision and upside merging companies plays an important role in the gains of an M&A transaction. Third Party Risk Management (TPRM) can support this understanding.
A successful merger or acquisition typically has five phases – and TPRM plays a role in each step:
Throughout the M&A process, all significant risks discovered by third party risk management teams, including cyber risks, should be brought to the attention of acquirer C-suite management and boards of directors.
Shared Assessments’ Briefing Paper “Using TPRM Best Practices To Improve M&A Outcomes” serves as a comprehensive guide outlining specific best practices to help lower risks introduced by M&A. This blogpost offers an overview of the focused attention that should be given at waypoints in the M&A journey to gain an understanding of the target organization’s:
During the Pre-Selection process, the risk profile of the organization to be acquired is weighed against the acquiring organization’s risk appetite. Important considerations for developing a risk profile include:
Risk red flags include loose access privileges and access privileges unnecessarily granted on a permanent basis, or unmonitored basis, are among red flags. To spot red flags, third party risk management (TPRM) tools provide the acquiring company with a systematic means to understand and analyze the target enterprise’s systems and its risk profile.
TPRM tools are designed to examine risks across the threat landscape, including cyber, security policies, physical and environmental security, business resilience and operations management. TPRM analysis supports assessments across the spectrum (e.g., application security, network vulnerabilities, patching cadence, obsolescence, weaknesses in access management, data loss prevention). It brings the risks and opportunities associated with any transaction into significantly sharper focus. Using a TPRM best practice approach to due diligence provides defensible evidence in the event that something comes to light after acquisition that is of negative impact.
With an understanding of the target organization’s risk profile, the board can make informed decisions and re-examine the organization’s risk appetite.
In the acquisition and post-closing process, the human side of data security risk and data loss prevention (DLP) needs to be acknowledged. Regardless of the posture of the parties (acquirer, target, merger of equals), roles and responsibilities of senior managers in the consolidated entity should be made clear and announced at or just after deal closing.
Employees of either company who perceive themselves at risk of losing their job when the deal closes may themselves present a heightened risk of intellectual property or other loss. Since that possibility exists, the need for robust DLP becomes even more important, including cyber and other security training, criminal history checks and formal acceptance of the acquiring company’s code of ethics statements. Also, the use of employee retention agreements for key employees is a tool used to reduce, but not eliminate, the “human factor risk.”
In the final acquisition phase, as transition plans are rolled out, it is important to acknowledge “Work-From-Anywhere” (WFA). How do you evaluate how a target manages mobile workers and work-from-home employees? Evaluation begins with the review of the company policies for mobile and remote users. The next step would be to validate the policies and standards are being followed and documented. The policies and standards for mobile and remote workers should mirror or exceed the controls specified in the acquiring companies’ policies. For example:
To evaluate the security of the target’s connections with third parties, the acquiring organization must have access to the list of the target company’s third parties and an indication of the risks they represent to the target company. This is typically available and if not should raise a red flag! The use of a continuous monitoring Security Rating Service can also quickly provide an indication of the cyber hygiene of the target company and of the critical third parties they rely on.
As third party links are an increasingly common attack vector, the acquiring organization must review any control weaknesses identified by the target company specific to the target’s third parties. Ensure the timely remediation of those control weaknesses has been performed and validated. The use of continuous monitoring solutions to identify cyber vulnerabilities would help to identify areas around patch currency and cadence.
In an acquisition, the acquirer must gain an understanding of the target’s overall corporate culture. That can be started during the Pre-signing period in the document sharing and interviewing phase. Reviewing the target’s human resources policies and procedures can be informative, as can the target’s employee turnover rate, particularly in the areas most important to the acquirer.
As the selection period in a merger is likely to be more protracted than that of an acquisition, it is vital that both parties feel comfortable that their cultures will successfully mesh. And the acquirer needs to ascertain whether its target or merger partner shares (or is amenable to sharing) its positions on Environmental, Social and Governance (ESG) issues.
Additionally, look for level and certifications staff of the acquired company have received as well as the experience level of the senior management. Look for retention of top talent as this speaks better to culture and the management style of the acquired company. Look at peer group and trade group participation – does the target encourage its employees to enhance their skills by supporting certifications and the continuing education required to maintain them?
For more information on evaluating potential risks in a merger or acquisition, see the Shared Assessments Briefing Paper “Using TPRM Best Practices To Improve M&A Outcomes.”