Data Protection in Mergers, Acquisitions and Divestitures Image

All attackers, inside and outside, are ultimately after data, whether in servers, on endpoints or in the cloud. Mergers, acquisitions and divestitures (MAD) are times when companies are in a particularly transitional state. In a merger or acquisition, the state of the inherited data, or its location, isn’t always known.

The policies between two companies may conflict, or one may have no policies at all. Divestitures present a unique challenge in that the data is now being split from an entity, and determining what data goes where isn’t always as straightforward as it sounds. Data pre-divestiture is often stored in shared locations like SQL servers or in cloud storage locations like OneDrive.

In 2023, the FBI issued a notice to companies involved in mergers and acquisitions, highlighting several examples of large attacks in 2020 and 2021, noting that companies are often more vulnerable during these times.

Each stage of mergers, acquisitions and divestitures presents its own unique challenges and should be approached with tailored processes. Various tools can make data discovery easier and more comprehensive; however, there will always be a manual component to each of these situations.

The three W’s of data are very important in any merger, acquisition or divestiture:

  1. What is the critical data?
  2. Where is the critical data?
  3. Who has access to the critical data?

Ensuring Data Integrity and Security

Mergers

In a merger, data from both companies should be reviewed for its integrity to validate that there are no viruses or malware and that it doesn’t violate any rules or regulations that the companies may be under. This becomes a collaborative effort on both teams’ parts.

This is also a critical moment for monitoring insider activities. Data monitoring is important, especially for exfiltration. Restricting data storage to the local network, company-owned devices and approved cloud storage locations will significantly reduce the risk of data being removed. Mergers focus on the flow of data from the legacy company into the new entity.

Acquisitions

Acquisitions, on the other hand, are about understanding the data. If tools are not already in place to find and monitor data, then tools should be brought into the environment. An acquisition is a crucial time to understand what regulations both companies are under and how best to meet those regulations before the companies come together.

If the companies aren’t intended to merge, then a plan on how the companies will share data needs to be examined and put into place. The important part of sharing data is to have the identities aligned in both organizations so that they can be controlled in a simple manner. Some kind of federation, be it through Entra ID, Ping, Okta or ADFS, needs to come into play.

Divestitures

Divestitures are a unique challenge across the security spectrum, not just in data protection. However, there is a deeper component in data protection and identity when dealing with divestitures. With data being in mixed states and user information changing, determining who owns the data and regenerating the proper permissions is complex.

Divestitures require proper tooling and deep experience across different security domains to be successful. Data integrity and exfiltration are important considerations when data is moving in large quantities from one location to another. A strict data retention and loss prevention strategy needs to be in place and enforced across both organizations.

In an article, Forbes stated, “For the buyer, a $50,000 assessment can potentially save $5 million of risk exposure and IP loss.” The additional benefit is that an assessment will provide a larger view of both organizations’ cybersecurity practices and gaps.

Data Protection in MAD

The conclusion here is that in any stage of MAD, employees are engaged with new tasks, integration/separation is complex, there is a significant amount of money involved and there are gaps in the knowledge required. A third party with a deep understanding of the processes can be greatly beneficial to keep data secure and see a significant reduction in risk.

Navigating the complexities of mergers, acquisitions and divestitures requires a robust approach to data protection. Contact us today to learn more about how we can support your data protection needs.

Subscribe to the Newletter

Back to Resources

Similar Posts