Deloitte’s 2014 M&A Trends Report says that low interest rates and high cash reserves in addition to a desire for new markets, new products, and cost-saving consolidations have U.S. CEOs frothing to find the right partners quickly. Merger and acquisition deals always involve a balance of speed and risk: speed to get the deal closed before valuations increase versus the risk of not doing adequate due diligence, especially with regard to information risk management (IRM).
Mobile phone provider Telstra found that out the hard way when target Pacnet (with valuable infrastructure and products to offset the pending loss of other revenues) announced a hacking of its corporate IT network by an unknown third party. It appears that Pacnet knew about the security incident two weeks before the deal closed but chose to share the news afterwards.
But it is possible to assess a potential partner’s IRM strengths and weaknesses without slowing down the deal.
Here are some key considerations at each M&A phase:
Phase 1: Initial Due Diligence
- Does the target organization have a compliance and security governance committee? If so, review the charter, membership, and information risk management processes to ascertain their comprehensiveness.
- Is there a code of conduct that outlines expected workforce behavior and responsibilities related to data security? If so, does it describe sanctions for non-compliance?
- Is there a formal program for managing service providers? If so, inquire if recent revisions have been made to accommodate any new regulations.
- Have recent assessments or audits been conducted on compliance, data security programs, or both? If so, ask if remediation activities are underway to close any gaps.
- Obtain copies of insurance policies and review to ensure appropriate levels for cyber-liability, property and casualty, and directors and officers’ coverage.
Phase 2: Prior to Definitive Agreement
- Cross-walk policies and procedures to regulations to ensure complete compliance and make it easier to integrate the target into the acquiring company.
- Review training materials to make sure they cover job responsibilities associated with access to sensitive information.
- Review specific policies and procedures related to reporting complaints, security incidents or privacy violations, breach assessments, and notifications.
- Review business continuity and disaster recovery plans.
- Request an inventory of service providers with services provided, minimum necessary information shared, due diligence conducted, security incident notification requirements, and replacement vendors for critical services.
- Review governance/oversight committee meeting minutes and attachments to verify adherence to charter, agendas, and documented risk management processes.
Phase 3: After Signing Definitive Agreement
- Review IRM processes in detail, including prior risk assessment decisions to assess compatibility of risk tolerance.
- Review logs and other documentation regarding security incidents, privacy violations, complaints, breach risk assessments and conclusions, notification plans and previous activities (if any).
- Inquire and request details of any reported breaches or regulatory investigations or audits.
- Request copies of compliance and security attestations, assessments, or audits from high-risk service providers.
- Audit the adherence to procedures for establishing, modifying, and terminating access to sensitive information.
- Review details of remediation activities from recent compliance and data security audits, or assessments and timeline for completion for any audits underway.
- Review documentation of all activities undertaken to test business continuity plans, disaster recovery plans, and emergency mode operations.
This three-phase approach to assessing an M&A target’s IRM and regulatory compliance programs will help prevent unwelcome surprises and unplanned liability — potentially saving a huge amount of both time and money.