Data protection in Mergers, Acquisitions, and Divestitures
All attackers, inside and outside, are ultimately after data, whether in servers, on endpoints, or in the cloud. Mergers, acquisitions, and divestitures are times when companies are in a particularly transitional state. In a merger or acquisition, the state of the inherited data, or its location, isn’t always known. The policies between two companies may conflict, or one may have no policies at all. Divestitures present a unique challenge in that the data is now being split from an entity, and determining what data goes where isn’t always as straightforward as it sounds. Data pre-divestiture is often stored in shared locations like SQL servers or in cloud storage locations like OneDrive.
In 2023, the FBI issued a notice to companies involved in mergers and acquisitions, highlighting several examples of large attacks in 2020 and 2021, and noting that companies are often more vulnerable during these times. Each stage of mergers, acquisitions, and divestitures presents its own unique challenges and should be approached with tailored processes. Various tools can make data discovery easier and more comprehensive; however, there will always be a manual component to each of these situations.
Ensuring Data Integrity and Security
In a merger, data from both companies should be reviewed for its integrity to validate that there are no viruses or malware and that it doesn’t violate any rules or regulations that the companies may be under. This becomes a collaborative effort on both teams’ parts. This is also a critical moment for monitoring insider activities. Data monitoring is important, especially for exfiltration. Restricting data storage to the local network, company-owned devices, and approved cloud storage locations will significantly reduce the risk of data being removed. Mergers focus on the flow of data from the legacy company into the new entity.
Acquisitions, on the other hand, are about understanding the data. The three W’s of data are very important here:
- What is the critical data?
- Where is the critical data?
- Who has access to the critical data?
If tools are not already in place to find and monitor data, then tools should be brought into the environment. An acquisition is a crucial time to understand what regulations both companies are under and how best to meet those regulations before the companies come together. If the companies aren’t intended to merge, then a plan on how the companies will share data needs to be examined and put into place. The important part of sharing data is to have the identities aligned in both organizations so that they can be controlled in a simple manner. Some kind of federation, be it through Entra ID, Ping, Okta, or ADFS, needs to come into play.
Divestitures are a unique challenge across the security spectrum, not just data protection. However, there is a deeper component in data protection and identity when dealing with divestitures. With data being in mixed states and user information changing, determining who owns the data and regenerating the proper permissions is complex. Divestitures require proper tooling and deep experience across different security domains to be successful. Data integrity and exfiltration are important considerations when data is moving in large quantities from one location to another. A strict data retention and loss prevention strategy needs to be in place and enforced across both organizations.
In an article, Forbes stated, “For the buyer, a $50,000 assessment can potentially save $5 million of risk exposure and IP loss.” The additional benefit is that an assessment will provide a larger view of both organizations' cybersecurity practices and gaps. The conclusion here is that in any stage of MAD, employees are engaged with new tasks, integration/separation is complex, there is a significant amount of money involved, and there are gaps in the knowledge required for M&As and divestitures. A third party with a deep understanding of the processes can be greatly beneficial to keep data secure and see a significant reduction in risk.
Navigating the complexities of mergers, acquisitions, and divestitures requires a robust approach to data protection. At BDO Digital, we understand the unique challenges that arise during these transitional periods. Our team of professionals is equipped with the tools and knowledge necessary to help with data integrity, compliance, and security. Whether it's assessing the state of inherited data, monitoring insider activities, or implementing stringent data retention and loss prevention strategies, BDO Digital can help safeguard your critical information.
Don't leave your data protection to chance. Contact us today to learn more about how we can support your data protection needs during any stage of MAD.
How BDO Digital Can Help
Navigating the complexities of mergers, acquisitions, and divestitures requires a robust approach to data protection. At BDO Digital, we understand the unique challenges that arise during these transitional periods. Our team of professionals is equipped with the tools and knowledge necessary to help with data integrity, compliance, and security. Whether it's assessing the state of inherited data, monitoring insider activities, or implementing stringent data retention and loss prevention strategies, BDO Digital can help safeguard your critical information.
Don't leave your data protection to chance. Contact us today to learn more about how we can support your data protection needs during any stage of MAD.
SHARE