10 Jan 2025
How to protect data and digital assets during Mergers and Acquisitions
Article

How to protect data and digital assets during Mergers and Acquisitions

10 Jan 2025
  • Cyber security risks are often most volatile during Mergers and Acquisitions (M&A), with vulnerabilities emerging in the many inherited systems, processes, and network environments.
  • In Australia, approximately one-third of businesses are planning three or more acquisitions in the next three years, amplifying the need for robust cyber planning.
  • Businesses can reduce risks during M&A by securing critical data, implementing thorough access controls, and ensuring integration projects are rigorously tested before integration.

M&A activity is on the rise in Australia, with approximately one-third of companies planning on making three or more acquisitions in the next three years, and investors set to deploy up to $37 billion in capital.1

While M&A activity can present a strong pathway to growth, it also brings with it significant cyber security risks. These risks often surface during critical stages of the M&A process, such as contract negotiations, due diligence, and the eventual integration of IT infrastructure post-acquisition.

“Cyber risks are often underestimated during M&A activity. If not managed properly, they can lead to data breaches, deal breakdowns, or even long-term operational outages that could impact revenue,” said Ben Richardson, Cyber Product Lead, QBE Australia.

What digital systems and processes are merged during M&A?

Merging two businesses together often requires the eventual integration of key IT systems and processes. This can include:

  • Software and IT vendor supply chains
  • Operating systems
  • Data storage
  • Data security
  • IT security
  • Cyber security training programs

These are critical to daily operations, but differences in technology deployment, governance, or vendor contracts can introduce inefficiencies and security vulnerabilities if not carefully managed.

“Successfully bringing together two separate sets of cultures and IT infrastructures is one of the most challenging aspects of M&A,” said Richardson.

“It requires a significant amount of planning to take stock of the two separate environments, and then also to identify critical risks. Addressing these as early as possible is crucial to ensuring a smooth integration.”

Related article: How to manage cyber security risks across digital supply chains

Understanding potential cyber risks in M&A due diligence

‘Due diligence’ is a key stage in M&A activity, especially when it comes to understanding the cyber and technological risks of the business being acquired.

To get a clear picture of potential cyber vulnerabilities, businesses should consider the following areas during this phase:

  • Cyber security audit: Provide a broad review of the cyber security posture across the business, identifying any shortfalls or urgent risk items requiring immediate attention.
  • Internal and external vulnerability scanning: Identify any evidence of potential vulnerabilities or intrusions, externally and internally.
  • IT asset inventory: Catalogue all software and hardware.
  • Incident history: Review past breaches to understand any potential liability or existing vulnerabilities.
  • Privacy and compliance: Evaluate current policies and governance provisions to ensure regulatory alignment.
  • Data management: Assess where data is stored, the security controls in place, verify back-ups, and identify any unnecessary legacy data.
  • Third-party agreements: Review software licenses and third-party supply chain contracts.
  • Resilience provisions: Assess any pre-established Disaster Recovery Plans (DRP), Business Continuity Plans (BCP), and Incident Response Plans (IRP).
  • Cyber education: Evaluate staff awareness and training policies.
  • Insurance coverage: Ensure policies are current and cover is appropriate.

“It’s important to acknowledge that often in a M&A scenario, you might get a walkthrough of the back-end infrastructure, as well as a lot of data as part of the due diligence process. However, you often can’t fully assess the security environment until after the purchase is complete and you have full access to the business and its employees,” said Richardson.

“Taking stock of all applications, endpoints and operational processes can take months. However, tools like inventory scanners can help speed up this process by identifying all hardware, software, and devices connected to the network.”

Protecting critical digital assets during M&A

Businesses can store vast amounts of data, but not all of it is equally valuable. During an M&A process, identifying and safeguarding the most critical data—often referred to as the ‘crown jewels’—is essential.

These assets may include:

  • Trade secrets
  • Intellectual property, such as designs, recipes, or patents
  • Customer databases and sensitive information

In addition to these high-value assets, it’s important to ensure other important data remains secure, such as:

  • Business communications
  • Compliance documentation
  • Vendor and partner data
  • Contracts and agreements
  • Employee records
  • Financial information

Identifying critical data and implementing robust protection measures, such as encryption, access controls, back-ups, and conducting regular vulnerability scans, can reduce the risk of data related breaches that could potentially financially impact the business.

Young woman working at computer screen

Managing insider threats during the M&A process

Insider threats are a constant cyber risk for businesses, and during M&A activity, this risk can often increase. The uncertainty surrounding job security and rapid organisational change can increase the likelihood of intentional or unintentional insider threats.

To manage this risk, access control is key. Understanding privileged account delegations and validating the requirements for this access based on the employee’s role post-acquisition is essential.

External parties, such as software providers, should not be overlooked. M&A activity can often lead to terminated business relationships or leave the organisation vulnerable to cyber attacks if remote access permissions aren’t properly managed. Reviewing vendor agreements and external access points is vital to ensuring appropriate security throughout the M&A process.

“The focus on digital supply chain risks is shifting, with organisations and regulators now looking beyond key third-party suppliers to increase their visibility of their fourth and fifth-party vendors,” said Richardson.

“Managing these risks is becoming crucial for building operational resilience and keeping your business secure.”

Related article: Managing insider threats in cyber security

Reviewing and streamlining third-party agreements

M&A often brings together two sets of third-party agreements, including contracts with software providers, ISPs, and technical support teams. Understanding the scope and terms of these agreements—such as whether support is provided locally or remotely—can help businesses identify potential cost efficiencies and address risks that may arise during the transition.

Managing cyber risks after the M&A process is finalised

While a business may officially come under new ownership once an M&A deal is finalised, integrating cyber security systems and controls can take some time. The reality is that getting full visibility of the acquired data and network environment is in many cases only possible after the deal is complete.

To minimise vulnerabilities during the cyber integration period, businesses should prioritise:

  • Access control: Take stock of what privileged access has been granted, for example, domain administrators or privileged service accounts. It’s also important to review what access control measures are in place, including MFA for any remote access, or role-based restrictions for access to sensitive databases.
  • Anti-malware, network security and email security: Gain visibility of network activity by logging and monitoring provisions throughout the network.
  • Verifying back-ups: Regularly test that data is being properly backed-up and can be fully recovered if needed.
  • Patching: Ensure all IT assets and software are up to date, and all existing and future critical patches are prioritised for deployment.
  • End-of-life software and hardware: Identify unsupported systems and fast-track replacements or updates.

“Cyber security integration is an ongoing process of continuous improvement, not a one-off event. It takes time to uncover shortfalls and align controls and governance, but focusing on the key controls and immediate vulnerabilities can help minimise your risks during the initial transitional period post-acquisition,” said Richardson.

How to prepare and integrate IT platforms

After assessing the inherited cyber environment, the next step is integrating the IT infrastructure of both businesses. This can include:

  • Aligning baseline configurations: Standardise asset configurations and protocols to strengthen security and create a unified platform for the organisation.
  • Using test environments: Trial new systems in smaller, controlled settings before full integration.
  • Taking a staged approach: A gradual and phased approach to IT infrastructure rollout can help minimise the risk of outages, interruptions, or data loss in the event of an integration failure during the delivery phase.
“Going live with a newly integrated IT solution for an existing business is the one of the greatest risk milestones in the M&A process,” said Richardson.

“If something fails during the go-live, you could face significant business interruption or, in the worst-case scenario, permanent data loss. That’s why robust testing and deployment practices are so critical to ensuring a successful technology delivery into any business.”

Aligning people, as well as systems

Aligning IT systems, policies and procedures is one thing, but aligning people and culture is just as important and comes with a unique set of challenges.

Prioritise sharing and educating staff on new policies and procedures, as well as delivering training sessions to ensure they know how to use new systems and platforms.

Clear and consistent communication with employees will ensure they’re aware of the changes and how it will impact their day-to-day operations. And importantly, make sure they feel engaged throughout the process.

Implementing a consistent IT security and phishing training program across the organisation should also be prioritised. In a post M&A environment, there is often new communication and supplier channels being introduced into the business, and a comprehensive training program can help mitigate the risk of social engineering fraud attempts.

Strengthen your business against cyber risks with QBE

Successfully merging two organisation’s systems and backends is a significant undertaking, but the work doesn’t end there. New vulnerabilities may emerge post-integration, making ongoing monitoring and adaptation essential to your cyber resilience.

QBE’s cyber insurance policy, QCyberProtect, provides critical support during a cyber event and can help protect against the financial and reputational impacts arising from of digital threats. Talk to your broker today to learn how QBE can help safeguard your business.

1 PWC, The Australian M&A Outlook 2024

This content is brought to you by QBE Insurance (Australia) Limited (ABN 78 003 191 035, AFSL 239545) (QBE) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. QBE makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Readers relying on any content do so at their own risk. It is the responsibility of the reader to evaluate the quality and accuracy of the content. Reference in this content (if any) to any specific product, process, or service, and links from this content to third party websites, do not constitute or imply an endorsement or recommendation by QBE and shall not be used for advertising or service/product endorsement purposes.