Security risks in mergers and acquisitions


Financier Worldwide Magazine

June 2016 Issue

June 2016 Issue

Mergers and acquisitions (M&A) between two companies bring a unique synergy that cannot be obtained by one company alone. Along with synergy, M&A brings a whole host of benefits to the table including product diversification and an increased customer base as well as cost and competition reduction. However, one of the aspects rarely discussed during M&A is the identification of security risks and how organisation’s can then manage those risks in a cost efficient manner while at the same time achieving a smooth integration.

Why should organisations consider security in a merger or acquisition? While the merger is occurring to achieve a beneficial business solution, it also brings a host of security risks, so organisations need to be informed as much as possible prior to and during the merger in order to decide the best course of action for each of the risks.

To understand the risk requires an in-depth analysis of all different domains of security with respect to both companies. As an example, two companies (A and B) may have similar product lines. Company A acquires Company B. Company A has a different set of security policies and procedures for deploying an application into production than Company B. The two companies may also have different risk assessment and acceptance methodologies. This is important because the risks accepted by one company affect the other. To remedy this, the focus should be on understanding risk management followed by risk identification to drive informed decisions according to some priority.

The early identification of risks helps reduce cost and effort required to mitigate those risks. However, organisations must come up with a comprehensive risk strategy plan that will identify and prioritise the risk mitigation efforts.

Comprehensive risk strategy plan

The first step is to ensure that the risk management processes are compatible. This means that governance is a key consideration and should be one of the first items addressed when two companies integrate. Organisations need to understand how they should effectively carry out risk management as well as be clear on what processes are critical, what practices are accepted and ultimately what level of risk is acceptable. Governance provides a holistic framework with which to achieve these goals.

After the risk management processes are understood there are a few keys activities that can be used to help identify risks present with software systems. These activities are architectural risk analysis, static code analysis and penetration testing.

Architectural risk analysis should be considered during an M&A where different architectures of applications, technology stacks and design models integrate together. The goal is to understand the security architecture of the system and identify potential threats as a way to understand the risks.

Static code analysis can be performed on source code in a cost-effective, time-efficient manner. It is necessary for large application code bases where manual reviews are not feasible.

Penetration testing can be performed on systems that have been deployed as well as those under development. The goal is to discover exposed risks by looking at the system the same way that a malicious attacker would.

It is important to understand that the above activities work together to discover risks. Architecture analysis generally discovers design flaws present in the system and penetration testing tends to find implementation errors. There is roughly an even distribution between design flaws and implementation errors, so if only one activity is performed then only half of the problems have been identified.

Architecture analysis, code review and penetration test are all activities necessary in a secure software development lifecycle. It is therefore also worthwhile to understand the development methodologies and ensure that they contain the necessary steps to build security in throughout the process. The BSIMM is an approach that contains 112 distinct activities spread out in four domains, and can be used as a blueprint to view development activities.

Outside of the development cycle are standard security protections that should also be assessed, including network security provisions for workstations, network devices (firewalls, routers, access points, etc.), web servers and remote connectivity for employees. The IT procedures and processes for data storage, data retention, backup and recovery are also key elements.

The bottom line

Through active risk identification and evaluation, those firms in the process of a merger or acquisition can better understand and prioritise the risks. This enables informed decisions about the most efficient use of resources to secure the company and customer data.


Dan Lyon is a principal consultant at Cigital. He can be contacted on +1 (703) 404 9293 or by email:

© Financier Worldwide

©2001-2019 Financier Worldwide Ltd. All rights reserved.