Managing Cybersecurity During a Merger or Acquisition

During mergers and acquisitions (M&A), insurance policies and finances need to be scrutinized and the future of employees addressed. Cybersecurity is often put on the back burner, which is unfortunate because this is when company data is at its most vulnerable. Data transfers must proceed smoothly, or the companies risk damaging their reputation, losing customers and hurting future sales. Additionally, legal responsibilities must be upheld before, during and after the data transfer process.

Use the following checklist to ensure you have covered all of your cybersecurity bases:

1. Identify all data assets that will need to be transferred.

2. Gather and merge all data standards, policies and processes from employees at both companies.

3. Identify potential risks that could occur during data transfer.

4. Before any data transfers, ensure that data is backed up.

5. Run background checks on any employee who will be involved in the data transfer process.

6. Craft a business continuity plan to prepare for potential data loss or outages during the period when the transfer will occur.

7. Assign one high-level person the job of overseeing all data transfers. They will have the task of dividing and conquering by assigning one person to each data asset that needs to be transferred.

8. Legally transfer ownership of data assets as quickly and completely as reasonably possible.

9. Host training sessions on new data standards, policies and processes.

10. Update disaster recovery, business continuity, and emergency plans to include newly acquired data assets.

11. Update the risk profiles for newly acquired assets.

Preparing for Data Transfer

Planning for data transfer should begin as early in the M&A process as possible. It is wise to assign one person the task of overseeing all data transfers so that there is little room for miscommunication or error.

That person can then delegate smaller tasks, such as identifying data assets, identifying potential risks during transfer and making sure the data transfer complies with federal and state law, but the person in charge should be aware of the current status of all tasks at all times. This person should also manage implementing the interim business continuity plan so that daily operations are disturbed as little as possible. Remember that if the acquired company has already completed portions of the data transfer or consolidation tasks, you should review the work to ensure accuracy.

Consider relocating IT employees from the acquired company early so that they can help with the data transfer and risk identification process, as they will be more familiar with their data and systems. Sufficient time should be mapped out to allow any older data to be converted for use in newer software and programs.

Finally, ensure that your system configuration records are up to date before any data transfers or consolidations. This will help isolate any possible issues and allow for an effective fix.

Good Practices for Data Transfer

Even if your company is completely prepared for the data transfer, it’s still possible that issues will arise during the process. Here are some good practices your company can use to minimize these cyber risks:

• Try to avoid using removable media to transfer data from one place to another. If the only method you can use is removable media, then take extreme care to be sure all records are encrypted, especially if they involve personal information.
• If you have any data that isn’t getting transferred, you should dispose of it safely and completely to ensure it cannot be stolen.
• Do not try to move all data at one time. Set small goals to complete every day or week to prevent an overload on your system or large, messy mistakes.
• Consider halting some of your company’s cyber services until all data has been switched over to protect the services from being adversely affected by the transfer. Another option would be to run a similar service until data has been transferred.
• Increase protective monitoring systems to prepare for the possibility of a disgruntled employee. Mergers and acquisitions are scary, uncertain times for employees, whose roles are often modified or eliminated to accommodate a new company structure. Update all clearances and access capabilities for employees based on new roles.

Safe and secure data transfer during a merger or acquisition is of utmost importance. Communication is crucial during this time, and basic duties and responsibilities should be quickly laid out and assigned to employees before, during and after the transition.

Data transfer is not just about preventing and managing a compromise or service interruption; you must also consider your customers’ and stakeholders’ needs and concerns. Most importantly, ensure your new and existing clients know you’re keeping their data safe.

Learn more about how Hylant M&A and Transaction Solutions insurance and risk management consulting can help you protect your organization.

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.