All Blogs

Ensuring Security Compliance Success in Mergers and Acquisitions

Yair Kuznitsov
August 31, 2022

2021 was a watershed year for mergers and acquisitions.

Despite a backdrop of Covid-19 and gloomy worldwide economic predictions, the M&A scene smashed records across sectors like tech and infrastructure, which saw some of their strongest years yet. In October, KPMG predicted that global M&A activity would hit a record $6 trillion by the end of the year. While those numbers are still being tabulated, it's clear that 2021 will go down as an epic year that saw companies making up for 2020’s lost time and opportunities.

While the looming recession isn't helping this year shape up to quite the same, these already-settled deals need to be nurtured and tended to with extra care. Quite obviously, massive amounts of planning and groundwork must go into ensuring successful M&As. Due diligence activities regarding company financials, contracts, technology and so much more aim to cover the depth and breadth of the involved parties’ systems — to confirm that the planned unification is, in fact, a wise move.

The Overlooked Challenge: Security Compliance

While the prospect of combined future possibilities may be dazzling, companies should take care to not get blinded — and blindsided. Underestimating obstacles can result in delayed integration, wasted time and exorbitant costs. One unexpected obstacle that companies may face lies in failing to account for misalignment between multiple Compliance programs.

While due diligence activities certainly do delve into Security Compliance issues, they tend to focus on the stages before and during the M&A. Before the merger or acquisition, the purchasing party will gather information regarding potential breaches that have occurred or possible shortcomings in tooling and/or infrastructure. Once things become a bit more serious, under NDA, the acquiring party will investigate the status of their Security Compliance standards. Do they have SOC 2? Is ISO 27001 on their road map? Do they have HIPAA if they hold protected health information (PHI)? And so on and so forth.

Then once both parties have decided that the deal is a-go, comprehensive IT and tech-stack assessments are performed and M&A insurance is purchased to make sure that the first year of the partnership is a fruitful one.

Great — but then what?

While there is a clear path for how to proceed before and during the M&A process, what happens when the honeymoon is over and these two Compliance environments are forever merged in holy consolidation?

When it comes to post-M&A, GRC and Compliance leaders are often left with multiple, siloed and incongruous Compliance programs and standards, a mash-up of different controls and different standards that can expose them to risk and create great friction and frustration over time. And any additional growth on top of this already complex and messy set-up creates an even deeper labyrinth of Security Compliance challenges.

A Roadmap To Winning The Compliance Long Game

How can these two programs be harmonized and, thus, get set up for a successful Compliance program?

The typical roadmap to harmonizing independent data sets is:

• Gap Analysis: Understanding the delta between the two programs.

• Getting Stakeholder Buy-In: Ensuring both parties are committed to closing the gaps within an agreed-upon time frame (usually between three months to one year).

• Remediation Planning: Devising a step-by-step plan to close each gap, which may include the need to add on new tooling or bring in new practitioners.

• Execution: Rolling out the plan.

Now imagine the following scenario; company X has just acquired company Y, each with their own diverse appsec, cloud security, infrastructure and endpoint tooling stack — and data coming off each of them. So when it comes to Compliance efforts, company X is essentially left with a program consisting of wildly differing standards and controls. In an effort to reduce the delta between these two programs, they may add controls and or requirements, so that eventually this new program will be similar to that of company X.

Based on screenshots and excel sheets, the gap analysis portion of the roadmap — which serves as the very foundation of the plan — is messy and time-intensive and requires great manual effort.

Instead, companies can get started with data-oriented definitions to fulfill controls. With definitions rooted in data, all parties have the same building blocks to create nearly 100% alignment, even though they have their own tech stack and data that comes with it. By replacing screenshots and excel sheets with standardized data-oriented definitions, achieving alignment is not only feasible, it can be nearly entirely automated. This prevents the need for loads of manual labor and saves Compliance teams lots of frustration.

Using this standardized data-oriented definitions approach, teams can easily take their Compliance program and deploy these definitions to perform the needed gap analysis and work toward implementing the remaining steps of the roadmap.

Ensuring A Successful Integration

Mergers and acquisitions are the key to continual growth. But making sure to get them right is critical. By understanding how to gain true Compliance alignment and create a shared roadmap, you can ensure a successful integration even after the acquisition honeymoon is over.

A version of this blog was published on Forbes on Feb 7th, 2022.

Yair Kuznitsov
Tech geek who appreciates and enjoys a good piece of code, Co-Founder and CEO of anecdotes.

Our latest news

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Non eget pharetra nibh mi, neque, purus.