With the pandemic causing economic uncertainty, it has been a “head-scratchingly prolific year” for mergers and acquisitions (M&A) (and associated merger and acquisitions risks!). As organizations combine, what factors determine the success of a merger or acquisition?
Ensuring all parties (owners, shareholders, employees and customers) understand the vision and upside merging companies plays an important role in the gains of an M&A transaction. Third Party Risk Management (TPRM) can support this understanding.
A successful merger or acquisition typically has five phases – and TPRM plays a role in each step:
- Pre-Selection – identification of potential companies who would fit the strategic objectives and risk appetite of the acquiring company.
- Selection – initial screening and monitoring is conducted using publicly available information.
- Pre-Signing – acquirer determines with legal counsel the types of documentation to be evaluated and the key interviewees, and also develops initial Transition Services Agreement.
- Acquisition (Post-Signing/Pre-Closing) – document integration, transition plans and includes identified open items which need to be closed in the contract.
- Post-Closing – implement transition plans, conduct training and ongoing monitoring.
Throughout the M&A process, all significant risks discovered by third party risk management teams, including cyber risks, should be brought to the attention of acquirer C-suite management and boards of directors.
Shared Assessments’ Briefing Paper “Using TPRM Best Practices To Improve M&A Outcomes” serves as a comprehensive guide outlining specific best practices to help lower risks introduced by M&A. This blogpost offers an overview of the focused attention that should be given at waypoints in the M&A journey to gain an understanding of the target organization’s:
- Overall risk profile
- Data security and Work-From-Home (WFH) vulnerabilities
- Supply Chain Risks
- Approach to Diversity and Culture
Understanding An Organization’s Risk Profile
During the Pre-Selection process, the risk profile of the organization to be acquired is weighed against the acquiring organization’s risk appetite. Important considerations for developing a risk profile include:
- Identifying risk domains relevant to the deal being structured and the target acquisition companies being considered
- Review publicly available information on any targets being considered
- Analyzing results of any technology audits or cyber hygiene assessments performed.
- Accessing legacy systems and understand how data is stored (cloud vs. on-premise), learn organization’s data protection protocols, compliance requirements, systems admin rights, patching systems
- Understanding how access privileges are allocated, monitored and retracted.
- Understanding whether PII, intellectual property or customer data is available on a shared cloud service and means are used to secure this data.
- Surfacing infrastructure issues such as tool sprawl.
Risk red flags include loose access privileges and access privileges unnecessarily granted on a permanent basis, or unmonitored basis, are among red flags. To spot red flags, third party risk management (TPRM) tools provide the acquiring company with a systematic means to understand and analyze the target enterprise’s systems and its risk profile.
TPRM tools are designed to examine risks across the threat landscape, including cyber, security policies, physical and environmental security, business resilience and operations management. TPRM analysis supports assessments across the spectrum (e.g., application security, network vulnerabilities, patching cadence, obsolescence, weaknesses in access management, data loss prevention). It brings the risks and opportunities associated with any transaction into significantly sharper focus. Using a TPRM best practice approach to due diligence provides defensible evidence in the event that something comes to light after acquisition that is of negative impact.
With an understanding of the target organization’s risk profile, the board can make informed decisions and re-examine the organization’s risk appetite.
Human Side of Data Security
In the acquisition and post-closing process, the human side of data security risk and data loss prevention (DLP) needs to be acknowledged. Regardless of the posture of the parties (acquirer, target, merger of equals), roles and responsibilities of senior managers in the consolidated entity should be made clear and announced at or just after deal closing.
Employees of either company who perceive themselves at risk of losing their job when the deal closes may themselves present a heightened risk of intellectual property or other loss. Since that possibility exists, the need for robust DLP becomes even more important, including cyber and other security training, criminal history checks and formal acceptance of the acquiring company’s code of ethics statements. Also, the use of employee retention agreements for key employees is a tool used to reduce, but not eliminate, the “human factor risk.”
Focus on Mobile and Work-From-Home Security
In the final acquisition phase, as transition plans are rolled out, it is important to acknowledge “Work-From-Anywhere” (WFA). How do you evaluate how a target manages mobile workers and work-from-home employees? Evaluation begins with the review of the company policies for mobile and remote users. The next step would be to validate the policies and standards are being followed and documented. The policies and standards for mobile and remote workers should mirror or exceed the controls specified in the acquiring companies’ policies. For example:
- Does the target use VPNs? This will vary depending on the size and complexity of the company. Some companies that are smaller in size and don’t have a corporate infrastructure would not necessarily need to use a VPN to connect to critical services.
- Were additional resources implemented to accommodate those additional remote users?
- Is zero trust methodology in place? Companies not equipped with proper end point protection and data loss prevention will continue to find themselves in catch up mode.
- Are security teams fully prepared for WFA vulnerabilities and the company’s resources insulated from increased risks?
- Policies and procedures for home and OOO Wi-Fi use should be evaluated.
Supply Chain Issues
To evaluate the security of the target’s connections with third parties, the acquiring organization must have access to the list of the target company’s third parties and an indication of the risks they represent to the target company. This is typically available and if not should raise a red flag! The use of a continuous monitoring Security Rating Service can also quickly provide an indication of the cyber hygiene of the target company and of the critical third parties they rely on.
As third party links are an increasingly common attack vector, the acquiring organization must review any control weaknesses identified by the target company specific to the target’s third parties. Ensure the timely remediation of those control weaknesses has been performed and validated. The use of continuous monitoring solutions to identify cyber vulnerabilities would help to identify areas around patch currency and cadence.
Diversity and Cultural Issues
In an acquisition, the acquirer must gain an understanding of the target’s overall corporate culture. That can be started during the Pre-signing period in the document sharing and interviewing phase. Reviewing the target’s human resources policies and procedures can be informative, as can the target’s employee turnover rate, particularly in the areas most important to the acquirer.
As the selection period in a merger is likely to be more protracted than that of an acquisition, it is vital that both parties feel comfortable that their cultures will successfully mesh. And the acquirer needs to ascertain whether its target or merger partner shares (or is amenable to sharing) its positions on Environmental, Social and Governance (ESG) issues.
Additionally, look for level and certifications staff of the acquired company have received as well as the experience level of the senior management. Look for retention of top talent as this speaks better to culture and the management style of the acquired company. Look at peer group and trade group participation – does the target encourage its employees to enhance their skills by supporting certifications and the continuing education required to maintain them?
For more information on evaluating potential risks in a merger or acquisition, see the Shared Assessments Briefing Paper “Using TPRM Best Practices To Improve M&A Outcomes.”