Picture this: you are an acquirer feeling pretty confident about your next target, but before moving forward, you bring in a security expert to view the deal from a security lens. Turns out the corporate headquarters is an abandoned barn on a large remote piece of land…yikes. Suspicious to say the least.
This anecdote from security expert, Jim McConnell (Verizon), might seem extreme, but not only is it true, it also speaks to the importance of ensuring security during the M&A process from all sides of the deal. While security is often mentioned when discussing mergers and acquisitions, very rarely do practitioners actually give Security a seat at the table. Below, McConnell leverages his 38 years of experience to educate practitioners on both sides of the deal on how to ensure security from end to end, how security adds value, and how to get security a true seat at the deal table.
What is M&A Security?
M&A security covers the sale of assets, divestitures, and rebadging. Security organizations and functions should provide M&A integration support to the business in two main ways:
- Making sure the transaction is done securely
- Integrating all required security functions into the appropriate areas of their organization
This includes, but is not limited to, integrating investigations, travel security, insider threats, supply chains, fraud, law enforcement, and physical security. Therefore, when thinking about M&A security, it is important to separate transaction management security (which begins with the desire to buy or sell and is in play through deal finalization) from security integration (integrating the security processes, policies, and tools).
What Are The Deal Phases Security Helps With?
When it comes to transaction management, security spans the entire deal lifecycle, though certain aspects are more closely tied to security’s work.
- Ideation — security considerations should begin with the “gleam in the eye” of selling or buying; the earlier security is brought in, the better. From this point forward, there is what McConnell calls “insider threat.” Insider threat is any person with access to information from ideation on…it never ends.
- Letter of interest
- Due diligence — if it has not been brought in already, this is where the security team really wants to get involved in order to help identify risks and red flags. Specifically, security asks: Who is this company? Who is its supply chain (this is an often overlooked, yet vitally important question)? Is the company or its suppliers located in an area of high crime or high threat? Who are its customers? Are its values aligned with ours? How is its information stored?
- Initial integration cost submissions — review of integration costs should be complete early on, and since this involves tools, policies, and people, security should be consulted.
- Letter of intent
- Agreement on acquisition and press release
- Integration planning
- Regulatory review and approval
- Close — McConnell advocates for practitioners to consider “close date plus 1 minute” – meaning how will you respond if right after close, there is a cyber or physical threat? Do you have plans in place so the security team and all employees on both sides of the deal are not scrambling?
- Post-merger integration (PMI)
Throughout the deal’s lifecycle, the security team is also paying close attention to the technology being leveraged, insider threats (as previously mentioned), and incident responses.
How Does Focusing on M&A Security Add Value?
A focus on security adds value to the business, as well as to the security practitioner.
Security adds value to your business by:
- avoiding negative front page news
- increasing shareholder value
- increasing customer value
- reducing vulnerabilities
- improving the integration schedule (often accelerating integration)
- steering clear of those “bad ideas” related to buying and selling (aka the barns on the remote land)
The security practitioner benefits from being involved in the M&A process by:
- forming new relationships and networking
- having a ROI (return on investment) financially and otherwise
- gaining new technological and new threat insights
- obtaining new best practice insights
What Are Additional M&A Security Best Practices?
- Security needs to build out tools to get others to understand why security needs to be involved and what the different types of risk are. McConnell leverages visuals to accomplish this.
- Security is broad and should be conducted as broad, but this means if security is split up among different departments, the departments need time to come together and engage in transparent communication.
- When leveraging M&A technology, security needs to focus on who really needs access to the information. This starts at ideation. Do 600 people need access to the virtual data room or do 6 need initial access? Moreover, everything must be secure and accounted for: emails, chat, collaboration tools, VDRs, and project management platforms.
- Security must help all employees and decision makers understand the differences between “compliant,” “secure,” and “certified” when it comes to assessing M&A tools. In a nutshell: “compliant” doesn’t really mean much so it should be taken with a grain of salt; “certified” means the tool is third party validated; “secure” has a constantly changing meaning. Given all this, when looking for M&A software and/or M&A tools, consider commitment to security, transparency, certifications and policies.
Security encompasses the entire M&A process and helps buyers and sellers avoid costly mistakes by viewing each element and interaction through a unique lens. In order for Security to gain the aforementioned coveted seat at the M&A table, McConnell preaches taking on a servant-first mentality — essentially presenting Security as a solution provider and helper; gone are the days of leading with scare tactics only.