During April 2016, hackers are understood to have targeted up to 48 top law firms in order to steal sensitive information related to mergers and acquisitions (M&A), for financial gain.
However, this is just one example of the many cyber-attacks targeted at businesses going through either a merger or acquisition every year, as M&As pose a significant threat due to a company’s IT system being at their most vulnerable.
For example, shortly after Marriott had announced the acquisition of Starwood Group – an American hotel and leisure company – the corporation discovered it had become a victim to a data breach.
By infecting the point of sale terminals with malware, attackers were able to access private customer information – including names, payment card numbers, security cards codes and expiration dates – which prompts many to question whether Marriott’s IT systems were assessed vigorously prior to and during the M&A process.
With so much at stake during the process of an acquisition, IT systems often suffer neglect. The ramifications of such neglect can expose sensitive data for cyber criminals to exploit. To correctly prepare for an M&A, it is essential for IT teams to prioritise due diligence of existing IT systems.
Inspect. Review. Assess.
Technical due diligence refers to the period during which IT systems are inspected, reviewed and assessed for areas of vulnerability that need to be addressed. Organisations looking to be acquired or merge should begin a process of technical due diligence internally before seeking interested parties.
By carrying out such an internal technical due diligence, the company being acquired can be satisfied its systems are robust, secure and fit for purpose, and the acquirer’s due diligence will not expose any issues that may jeopardise the deal.
In addition to the security vulnerabilities, many organisations carry open-source licensing risks. Open-source modules or snippets of code are commonly incorporated by developers into software to aid rapid development.
Although this open-source code is freely downloadable, it is normally subject to an open-source licence, and this licence places restrictions and obligations on what can be done with this code.
Companies often have no idea what open-source code is used in their systems and any breach of licensing restrictions can be costly to fix and endanger the deal. So the internal technical due diligence should include an assessment of open-source licensing risk, allowing the company to resolve any problems in advance.
By conducting thorough technical due diligence before embarking on the process of an acquisition, organisations will have a greater appeal to interested parties and can ensure the deal will proceed smoothly.
Those looking to acquire will have a clearer understanding of the technical assets for sale, with the added reassurance there won’t be any unpleasant surprises.
Yahoo recently felt the ramifications of neglecting IT systems in anticipation of the Verizon acquisition, after it was revealed last year that 500 million customer email accounts were hacked.
This has now had an effect on the final deal, with up to $350 million slashed from the final price as Verizon felt Yahoo wasn’t completely transparent about the breach.
This is a prime example of technical due diligence that hasn’t been thoroughly conducted and proves issues unearthed during the closing stages of an acquisition have affected the final sale price.
Don’t underestimate project management
Once an acquisition has been agreed in principle, senior stakeholders must then address which systems are being continued and which should be decommissioned.
A skilled project manager must be chosen to manage and monitor the implementation of the systems; ensuring decisions impacting the seamless integration of the acquisition are made on time.
>See also: Unprecedented surge in tech M&A in Q1 2017
Companies often underestimate the amount of work that goes into managing the process of an acquisition. This can result in the appointment of a project manager without the necessary skills needed to efficiently run the entire process.
All too often it is assumed acquisitions only affect the financial and legal teams when in reality it affects every department. An individual is needed with the skills to communicate across all departments and at all levels.
The sale is agreed and personnel have merged, but it doesn’t stop there. Post-acquisition integration is a separate project in its own right and requires close engagement from senior stakeholders.
Merging IT systems across companies can affect the smooth running of daily operations, exposing flaws in acquired systems likely to cause system downtime.
By bringing third-party experts onboard, companies facing both pre- and post-acquisition challenges can be kept safe in the knowledge that IT systems are maintained and sensitive data is kept safe.
Whether you are a major player or a start-up, an M&A will inevitably cause significant change at every level. However, it is vital organisations are able to continue operating efficiently and smoothly before, during and after the transition period.
This means the entire integration of new IT systems must be meticulously planned and seamlessly handled and executed by a skilled project manager throughout the entire process.
This project manager will ensure a successful integration of IT systems, supported by effective communication at all levels of the organisation and keep stakeholders engaged. Once in place, the newly merged organisation can enjoy the benefits of a tightly run and diligent joint venture.
Sourced by Nick Pointon, head of M&A at SQS