For security teams, the stakes are rarely as high as they are during mergers and acquisitions (M&A). Suddenly, youâre tasked with managing two companies' worth of devices, applications, identities, and data. There can be serious issues lurking within the newly acquired (or soon-to-be-acquired) company, including legacy systems, poorly vetted third-party contractors, and incompatible security policies.
Examples of what can go wrong during an M&A are legion, but the mergers of Verizon and Yahoo, as well as Marriott and Starwood, stand out as two particularly public fiascos. During both mergers, it was discovered that security oversights led to massive data breaches, costing hundreds of millions of dollars and creating a PR nightmare for all involved.
Due diligence
Stories of M&As gone wrong demonstrate the importance of the due diligence phase. For security leaders, the most critical window in an M&A is before the ink dries. To mitigate any unpleasant post-acquisition surprises, security should be integrated into the process as soon as negotiations begin. Kane Narraway, Canvaâs Head of Enterprise Security, suggests that, if you work at a larger company with a Corporate Development (Corp Dev) team, âthey tend to be the people running the acquisitions and doing the deals⊠Make friends with them so that you can get ahead of any acquisitions.â
When doing your due diligence, resist the temptation to prioritize speed over scrutiny. This is your opportunity to identify risks that could impact the value of an acquisition before any agreements are signed.
Because these deals often move fast, itâs likely you wonât have the time to do a full red-team exercise; instead, you need to focus on signal-rich evidence. This requires security to run both discovery and validation in parallel.
- Discovery: Review policies, read documentation, and interview the IT and InfoSec teams.
- Validation: Perform pentesting, lightweight recon, and surface any high-risk exposure areas.
Signal-rich evidence can come in a variety of forms, but prioritize requesting key documentation, such as compliance certifications, security policies and procedures, organizational charts, and recent audits. These can quickly reveal a companyâs security posture and organizational maturity.
Wendy Nather, Senior Research Initiatives Director at 1Password, points out that maturity isnât necessarily about the amount of documentation a company has. âSmaller companies don’t have time to do a lot of the really fancy documentation that people will look for. So it’s not necessarily a sign that you’re getting a lemon from a security point of view, it’s just natural.â Instead, she suggests focusing on how the team responds to requests. âIf they can pull out some papers and say, âhere, here’s all we have, ask us if you need anything else,â that’s super impressive.â
Pentesting is also an important way to validate your assumptions, though in an aquihire scenario, this is less crucial. But if the primary motivation for an acquisition is a product, then youâll want to ensure there are no obvious vulnerabilities that could lead to a breach and unfavorable headlines.
Understanding integration scenarios
No two M&A deals are exactly alike, and one major way they can differ is how the two companies integrate. There are three general flavors:
- No integration: In this scenario, systems remain separate. There are several reasons for this choice, but often itâs in an âacquire to killâ scenario.
- Partial integration: Some systems, such as laptops and identity platforms, are fully integrated, while others, like cloud infrastructure, may remain separate.
- Full integration: This is rare and typically only seen in the acquisition of very new products or companies.
For security leaders, itâs essential to be clear on the strategy behind an acquisition. If you donât understand why youâre doing the acquisition, youâll waste time securing systems that donât need to be integrated. If itâs a simple acquihire where a product is being depreciated, thereâs no need to spend valuable time and resources on it.
This clarity is also key to conveying potential risks to the executive, engineering, and Corp Dev teams. Itâs not enough to simply say, âThis team doesnât have a mature access control policy.â Instead, focus on translating that into tangible business impacts such as potential data exposure, integration delays, and privilege abuse. If you donât know the purpose of an acquisition, then it will be impossible to understand what risks will actually have an impact on the deal.
In addition to deciding which systems to integrate and how, youâll need to determine how to solve policy and compliance differences. While two companies may technically be compliant, they might use different compliance frameworks with conflicting data privacy, logging, and retention policies. Compliance can become a significant headache overnight as you try to reconcile multiple frameworks, and it may be the easiest and most effective approach to simply apply the stricter model across the board.
The due diligence phase of the M&A ends once integration begins, but itâs no time to let your guard down. There will inevitably be some post-deal chaos that creates an ideal environment for social engineering attacks and insider threats. Access control risks such as ghost or orphaned accounts and overprovisioned roles are rampant. Not to mention any third-party contractors or individuals who may use BYOD to access sensitive data.
Itâs important to be vigilant, control information sharing, and implement a robust logging system in those crucial early days.
A marathon, not a sprint
The entire M&A process is a lengthy, complex, and high-stakes endeavor. Security involvement starts with the initial evaluation and can last months or even years of integration, depending on the size and scope of the acquisition. Security also canât be bolted on; it needs to be an integral part of the process from moment one, assessing both technical and cultural risks, enforcing consistent controls and access.
1Password Extended Access Management can help organizations navigate the security challenges of M&A. Its three pillars â 1Password Enterprise Password Manager, Trelica by 1Password, and 1Password Device Trust â can help transform disparate systems into a unified, auditable, and role-based environment, even before integration is complete.
1Password Extended Access Management is designed to bridge the Access-Trust Gap: the risks posed by unmanaged devices, applications, and AI agents accessing company data without proper governance controls. It can secure secrets and credentials, discover and enforce access policies across SaaS apps, and provide cross-platform endpoint security, including for BYOD.
During the integration phase, 1Password Extended Access Management can provide a consolidated view of access across both organizations, automate provisioning/deprovisioning workflows, and provide audit-ready SaaS and device governance. This is huge when youâre inheriting a large number of new apps, employees, and contractors. Quickly identifying all parties with access to company data, ensuring they have the proper provisioning, and verifying that their devices meet company security policies can help limit risk and mitigate the chaos often inherent in the M&A process.
If you want to learn more and hear directly from experts with years of experience navigating the often nerve-wracking world of M&A, definitely check our recent webinar, Navigating M&A: What every security leader needs to know. In the webinar, Wendy Nather, 1Passwordâs Senior Research Initiatives Director, Dave Lewis, 1Passwordâs Global Advisory CISO, and Kane Narraway, Canvaâs Head of Enterprise Security, talk through the ins and outs of securing your organization through the M&A process, tell stories from the trenches, and explain common pitfalls that doom many acquisitions.