What are the cybersecurity implications of mergers and acquisitions in the GCC?

The biggest mistake an organisation could make is to assume that the company it is looking to acquire is inherently secure



A wave of consolidation has been sweeping across the Middle East resulting in the mergers and acquisitions (M&A) market growing at an unprecedented rate.

An increase in the number and value of deals in the MENA translated to a 68.7 per cent growth in deal value in 2018 to $26.76bn.

And this trend shows no signs of slowing down in 2019 as the merging of three top banks in Abu Dhabi, the cross-country collaboration between Kuwait and Bahrain, and Saudi Arabia’s largest-ever M&A deal are all expected to take place this year.

Given the financial risks these deals often entail, it isn’t surprising that they are preceded by careful evaluation, analysis and due diligence.

While this is done to a high degree of detail when assessing the business implications, it is important for the organisations involved not to overlook the resultant impact on the cybersecurity posture of the new entity.

After all, failure to do so can bear serious consequences as was proven by the data breach of the world’s largest container shipping company, Maersk. The high-profile cyber-attack on the company originated at a remote branch, where the IT environment was not as secure as at the company’s headquarters.

Unfortunately, the cybersecurity chain is only as strong as its weakest link so the introduction of such security shortcomings ─ as is often the result of M&As ─ is something businesses need to start paying due attention to.

Today, digitisation is pervasive across industries as IT is fundamental to the operations of any organisation, irrespective of their size or line of business. Just as enterprises assess cashflow generation and profitability before acquisitions, so too must they consider the state of the IT environment and how their digital assets are secured.

The biggest mistake an organisation could make is to assume that the company it is looking to acquire is inherently secure, and that its security processes and risk mitigation procedures are up to mark. Unfortunately, excelling in its area of expertise, doesn’t necessarily imply that the company is also good at cybersecurity.

Risk profiles of organisations therefore need to be considered. At times, even the geographical location of organisations plays a notable role in the overall risk profile and hence needs to be accounted for as well. After all, if the cyber defences aren’t up to mark, or the risk entailed is large, remediation of this could require significant investment which should be reflected in the value of the deal.

Evaluation of the organisation’s security posture should be followed by identification of the threats that could arise on account of the merging and restructuring.

One of the implications of integration between organisations is that their IT systems will be opened to lateral communications between systems that weren’t originally designed to be interconnected. This rapid introduction of new tools, solutions, devices and users onto the IT network can lead to a scenario wherein the IT team is overwhelmed by having to manage multiple disparate systems. To stay on top of this entire process, they must understand the architectures, the event management systems, and the technologies each organisation utilises to identify threats.

In some instances, organisations will need to establish ─ even if on just a temporary basis ─ secure connectivity between two different IT systems. Furthermore, there are sure to be redundancies across the new organisations which will warrant consolidation, also from an IT perspective.

In the interim, systems or devices with security vulnerabilities might still exist. Assessing the risks associated with these and deciding how to address them in the most efficient and cost-effective manner is something that needs to be carefully considered as if left unchecked, they could result in data breaches and other cyber-attacks.

There is of course an efficient way to address these challenges. Just as organisations entrust the M&A process to firms that specialise in the field, so too, they can benefit from the expertise of cybersecurity consultants to manage the cybersecurity aspects of the merger. This could be done either via a deep dive, or at the very least, by going for a table-top exercise to help understand what’s being done in both organisations, how they uncover cyber threats, and what they do to mitigate those risks.

Once IT systems have been securely integrated and policies and procedures updated as per the processes of the new entity, the final piece of the puzzle is to determine ownership of the IT security function.

As is often the case, prior to restructuring, both organisations will have their own security operations processes, IT teams and most likely maturity levels, which can lead to both technical and non-technical obstacles to be overcome.

It may be tempting to think that the larger organisation will have the better security pedigree and better processes, but this cannot be assumed without evaluation. Just as industry best practices often find their way into organisations from external influences, so too can security best practices be learned from new acquisitions. Ultimately, an expanded and enhanced IT team that draws from the knowledge and strengths of each organisation is one of the positive side-effects of a successful merger.

Data is the new oil and today, every organisation must take responsibility for protecting its digital assets. Failure to do so can potentially translate to significant financial and reputational losses.

With the number of cyber threats constantly on the rise, securing the organisation itself poses a formidable challenge which businesses have increasingly begun to rise up to.

Just as debt, risks, intellectual property and more are inherited in the M&A process, so too are the cybersecurity threats and challenges. Conducting cybersecurity due diligence and risk assessment must therefore become a fundamental part of the M&A process.

Nicolai Solling is the CTO at Help AG