Home / Resources / ISACA Journal / Issues / 2025 / Volume 3 / Mergers and Acquisitions

Mergers and Acquisitions: Bracing for the Information Security Aftershock

A hand holding a disk with a representation of several people
Author: Aparna Patil, CISA, ISO 22301 LI, ISO 27001 LA, PCI DSS IMPLEMENTER and Ramesh Ramani
Date Published: 1 May 2025
Read Time: 11 minutes
Related: Managing Third-Party Risk

Mergers and acquisitions (M&As) can be considered a creative disruption. Often, they require not only the amalgamation of the financial assets, products, services, and human capital of the organizations involved, but also the integration of their IT infrastructures—including data. The result is a massive new entity. The process of identifying all information assets usually takes months, but for larger enterprises it can take years. The organization with majority control bears the responsibility to protect the information newly gathered under its umbrella and to ensure that it maintains accountability for such information. Hence, it is imperative to conduct a comprehensive analysis of the target organization’s maturity, from an information security perspective, before deciding to enter a merger or make an acquisition.

Consolidation and Governance

Information assets in an organization can reside within its own infrastructure, with the vendors that process its data, or on shared cloud platforms managed by others. The dispersed nature of assets makes it difficult to implement comprehensive data security controls. Security risk is increased by a significant amount during an M&A, when teams are no longer under a centralized command. Teams may be accustomed to following different processes and lack a holistic view of the infrastructure or an understanding of where data repositories are located.

Weakened governance over information security can lead to data leaks that impact organizations in harmful ways. These include the exposure of confidential data, such as competitively sensitive information (CSI), resulting in negative financial impacts; fines due to regulatory noncompliance in the event of leaks involving personally identifiable information (PII); a decrease in market share due to the loss of goodwill and trust; and increased vulnerability to cyberattacks that could shut down operations, among other consequences. M&A also increases the threat landscape for the acquiring enterprise as it performs risk assessments.

To help mitigate this risk, cybersecurity mesh architecture (CSMA) has been proposed as a viable solution in recent years.1 The CSMA approach provides security for enterprises with many digital assets—and individuals—located outside of the traditional infrastructure. To secure organizations undergoing digital transformation and adopting multiple new technologies, cybersecurity teams need options that are flexible, agile, scalable, and composable. The trend toward vendor consolidation has also been gaining steam, with chief information security officers (CISOs) increasingly recognizing that having too many security vendors makes management more complex and less effective.2 However, consolidation is challenging and often takes years to roll out.

To combat breaches resulting from misused credentials, many organizations are implementing identity-first security to protect their cloud assets.3 This approach denies intruders the freedom to move laterally across networks once they have gained access. An organization that adopts an identity-first security posture must ensure that its infrastructure is properly configured, maintained, and monitored with an elevated priority level.

To secure organizations undergoing digital transformation and adopting multiple new technologies, cybersecurity teams need options that are flexible, agile, scalable, and composable.

Organizations that adopt technologies such as artificial intelligence, blockchain, virtual reality, augmented reality, and Internet of Things (IoT) may face a sudden increase in security threats, creating an immediate need for security posture management (SPM). SPM refers to the continuous process of assessing, monitoring, and improving an organization's overall security stance to protect against cyberthreats. It involves identifying vulnerabilities, ensuring compliance with security policies, and proactively mitigating risk across an organization's IT environment, including cloud, on- premises, and hybrid infrastructures.

Information Security Incidents During Mergers and Acquisitions

M&As are most common in the healthcare, technology, financial services, and retail sectors,4 which are also some of the sectors that have experienced major data breaches.5 A relevant case study is Verizon’s acquisition of Yahoo in 2017 for US$4.48 billion, a deal initially valued at US$4.83 billion. The significant price reduction was due to Yahoo's disclosure of two massive data breaches that occurred in 2013 and 2014, affecting more than a billion user accounts.6 The breaches exposed critical user data and led to regulatory scrutiny and numerous legal challenges, delivering a severe hit to Yahoo's reputation. This case exemplifies the financial and reputational risk associated with acquiring an enterprise with undisclosed or poorly managed cybersecurity issues.

Another case study is the Anthem Inc. and Cigna deal. In 2015, Anthem, one of the largest health insurers in the United States, attempted to acquire Cigna for US$54 billion. However, a massive data breach at Anthem exposed the personal information of nearly 80 million individuals. The breach raised significant concerns about data security practices within the healthcare sector and contributed to the eventual failure of the merger.7

Information Security Needs at Different M&A Stages

Organizations may consider M&As for different reasons, including financial investment, horizontal integration, vertical integration, acquisition of advanced technological capabilities, addition of supply chain capabilities, and so on. These objectives shape the focus of information security management.

The M&A process begins with conducting research to identify a potential target organization. The merger of the infrastructure, applications, and data results in the acquiring organization gaining access to the target organization’s assets. Information security and governance need to be centralized under the full control of a single entity to ensure consistent enforcement of security protocols, compliance with regulatory requirements, and effective management of risk associated with the merger.

Pre-Merger
The degree of alignment between the IT infrastructure of the acquiring and target enterprises should be examined. Some important considerations include:

  • Infrastructure can be both on-premises and in the cloud. Compatibility between the infrastructures of both organizations should be assessed to identify interoperability and integration issues post-merger.
  • The skill set of the IT staff in the acquiring organization should be evaluated with regard to their ability to manage the target organization’s existing infrastructure and technology.
  • The target organization may have software as a service (SaaS) tie-ups that will indirectly become a part of the acquiring organization post-merger. Third-party risk assessments should be conducted to assess the target enterprise’s vendors.
  • Assurance reports should be reviewed, including those related to SOC 2 Type II compliance, penetration tests, stress tests, or International Organization for Standardization (ISO) certifications. These reports should focus on the scope of the certification as well as how to conduct cyberdrills, business continuity plan (BCP) drills, and restoration drills to gain an understanding of the security posture of the target enterprise.
  • Ongoing investigations by regulatory bodies related to data breaches or cyberattacks, obligations toward regulators and customers, and any ongoing lawsuits related to but not limited to information security or cybersecurity must be considered. If any such events are found, the acquiring company must indemnify themselves to prevent financial or reputational damage.
Information security and governance need to be centralized under the full control of a single entity to ensure consistent enforcement of security protocols, compliance with regulatory requirements, and effective management of risk associated with the merger.

Post-Merger
All enterprises owned and managed by the acquiring organization should have a well-defined road map and be aligned to a single security policy. Efforts should be made to align the controls implemented in the target organization with the requirements of the acquiring organization. Some of these important tasks include:

  • Ensure secure integration between the infrastructures of both organizations to avoid exposure of unsecured application programming interfaces (APIs) to the internet.
  • Obtain nondisclosure agreements (NDAs) signed by the staff of the acquired organization when they complete the transition to become staff of the acquiring organization. It should be noted that NDAs signed during employee tenure as staff of the acquired organization do not protect the interests of the acquiring organization.
  • Assess the change in risk level using the acquiring organization’s risk register and observations made by its audit and risk departments.
  • Check if background verification standards for employees of the acquired enterprise match those of the acquiring enterprise. If not, reverify. Human resource (HR) security should not be taken lightly.
  • Review third-party risk management practices followed by the acquired organization. All contracts should be redrafted to include the name of the acquiring organization along with indemnity clauses to cover breach exposures that may have occurred during the merger.
  • Revisit the cyberinsurance held by the acquiring organization to ensure coverage of the assets brought in via the M&A activity.
  • In cases where a critical application from the target enterprise is being retained, escrow arrangements should be considered and updated.
  • Consider the applicability of any new regulations or laws to the newly acquired enterprise with respect to its geographical presence (physical or operational), the type of data it processes, and so on.
  • Ensure that data migration and the normalization of data have been handled efficiently and effectively without creating risk affecting the confidentiality, integrity, correctness, and availability of data.8
  • Remain aware that digital transformation and carbon footprint reduction—including but not limited to consolidation of infrastructure assets and reducing the data center presence of the merged organization—can give rise to increased risk of information security lapses during changes in asset management (e.g., affecting data disposal and physical security compliance).
  • Revisit the infrastructure and applications from the acquired organization. M&As will require that business impact assessments (BIAs) be redone and business continuity management (BCM)-related plans be revised to meet the needs of the acquiring organization.
  • Incorporate the new information assets into the information security governance road map. The road map should assist when integrating the acquired organization’s policies with those of the acquiring organization to achieve more effective governance.
  • Engage in proper asset disposal methods when disposing of decommissioned assets of the acquired organization.
  • Follow the identity and access management (IAM) life cycle to remove unapproved roles and prevent unauthorized individuals from accessing the applications and systems of the acquired organization after the infrastructures are merged.
  • Ensure well-planned data migration without compromising the integrity and availability of data. It is equally important to run comprehensive tests for verification.
Good governance is of the utmost importance during M&A integration to ensure that thorough analyses are performed on the IT infrastructure, vendors, and assets of the acquiring enterprise.

M&As and COBIT

In addition to implementing best practices prescribed by global frameworks for information security, it is important to consider integration of the IT verticals (of both organizations) as an important activity that should involve governance. COBIT® is a framework that can be used for governance of enterprise IT (GEIT) to help organizations with M&As. Per COBIT, boards and managers should accept more accountability for IT, provide guiding principles, and instill a mindset and culture that helps deliver value from IT.9 It also identifies triggers to internal and external environments. Good governance on the part of the board and effective management by top executives are highlighted in all major frameworks related to information security so that risk can be identified, prioritized, treated, and monitored effectively. Good governance is of the utmost importance during M&A integration to ensure that thorough analyses are performed on the IT infrastructure, vendors, and assets of the acquiring enterprise.

Information security pertains to not only cybersecurity, but also regulatory compliance, data governance, physical security of the location housing data (on print media or digital media), business continuity management, risk management, asset management (including licenses), operations (associated with incident management, change management, configuration management and problem management), third-party risk management (TPRM), human resource security, and much more. Effective and efficient governance is required to optimally manage risk related to all of the above, thus delivering value to the stakeholders and ensuring that it fuels secure business growth.

Conclusion

Information security plays a vital role during M&As. Careful planning, reviews, and research help gather crucial, game-changing information regarding a target organization, which can impact the current and future cybermaturity level of an acquiring organization. It is imperative to ensure that information security risk assessments are conducted before and after an M&A event. These assessments should be followed by a carefully planned, rigorous implementation of risk management strategies to fill identified gaps within a predefined turnaround time, using established risk treatment methods to fix vulnerabilities.

Endnotes

1 Moyle, E.; “What Is Cybersecurity Mesh and How Can It Help You?,” TechTarget, 14 February 2024
2 Lemos, R.; “Note to Security Vendors: Companies Are Picking Favorites,” Dark Reading, 15 September 2022
3 Avner, G.; “Identity-First Security Is the New Perimeter,” Cloud Security Alliance, 23 November 2021
4 DePersio, G.; “Industries Where Mergers and Acquisitions Are Most Common,” Investopedia, 21 July 2022
5 Brooks, C.; “Alarming Cyber Statistics for Mid-Year 2022 That You Need to Know,” Forbes, 3 June 2022
6 Lovitt, O.; Hughes M.L.; et al.; “Cybersecurity Considerations in Merger and Acquisitions Transactions: An In-Depth Analysis,” WTW, 28 August 2024
7 Lovitt, O.; Hughes M.L.; et al.; “Cybersecurity Considerations”
8 Grondahl, O.; “Migrating Data During a Merger or Acquisition,” Qlik, 28 December 2021
9 ISACA®, COBIT®

APARNA PATIL, CISA, ISO 22301 LI, ISO 27001 LA, PCI DSS IMPLEMENTER

Is an IS auditor with 10 years of experience in audit, risk management, compliance, and information technology. She is actively working to promote information security among students and professionals and has provided training as well. Patil can be reached on LinkedIn at https://www.linkedin.com/in/aparna-patil-a1302611/.

RAMESH RAMANI

Is a staff cloud security engineer at Block Inc. He has more than 15 years of experience in the field of information technology with a focus on security. He has written several blog posts about Kubernetes security and was awarded three patents in the information security field. Ramani can be reached at https://www.linkedin.com/in/ramesh-ramani-08bb6b16/.