July 30, 2021

Cybersecurity: Strategic & Tactical Considerations in M&A

Cybersecurity and data privacy concerns are an area of increasing legal and regulatory risk for all companies.  This Grant Thornton memo says that buyers should develop an “M&A cybersecurity playbook,” an “M&A cybersecurity framework,” and an “M&A cybersecurity plan” in order to appropriately address the issues that may arise during the lifecycle of an M&A transaction.

The memo says that a cybersecurity playbook’s purpose is to help companies successfully identify and monitor these risks in an ongoing and repeatable way as part of their M&A activities. A cybersecurity framework provides a template for cybersecurity integration, while a cybersecurity plan leverages the M&A cybersecurity playbook and framework to plan both tactical and strategic actions during the M&A process. This excerpt lays out the type of tactical & strategic actions encompassed by a sample cybersecurity plan:

Tactical actions:

– Specific cybersecurity threat monitoring must begin on day one and continue for at least the first phase of the merger or acquisition.

– The due diligence risk assessment feeds into remediation of the high-risk issues, followed by remediation of the medium-risk and low-risk issues if needed.

– A compromise assessment provides important input for identifying and isolating potential incidents and taking immediate actions to address them.

Strategic actions:

– A comparative analysis of cybersecurity capabilities will inform the cybersecurity consolidation, business solution migration and subsequent support.

– The cybersecurity integration strategy forms an important foundation for integrating cybersecurity policies, processes, and suppliers.

– The target operating model for cybersecurity, once designed and established, will implement a one-team approach in supporting the cybersecurity program going forward with defined performance metrics and control monitoring.

John Jenkins