In the business world, mergers and acquisitions are commonplace as businesses combine, acquire, and enter various partnerships. Mergers and Acquisitions (M&A) are filled with often very complicated and complex processes to merge business processes, management, and a whole slew of other aspects of combining two businesses into a single logical entity.
In the modern business world before and after the acquisition, a new concern with M&A activities is cybersecurity. What role does cybersecurity play in today’s mergers and acquisitions of businesses? Why is it becoming a tremendous concern?
Cybersecurity threats are growing in leaps and bounds
There is no question that cybersecurity risks and threats are growing exponentially. A report from Cybersecurity Ventures estimated a ransomware attack on businesses would happen every 11 seconds in 2021. Global ransomware costs in 2021 would exceed $20 billion.
It seems there are constantly new reports of major ransomware attacks, costing victims millions of dollars. Earlier this year, the major ransomware attack on Colonial Pipeline resulted in disruptions that caused fuel shortages all over the East Coast of the United States. It helped to show that ransomware attacks on critical service companies can lead to real-world consequences and widespread disruption.
This world of extreme cybersecurity risks serves as the backdrop for business acquisitions and mergers. A Garner report estimated that 60% of organizations who were involved in M&A activities consider cybersecurity as a critical factor in the overall process. In addition, some 73% of businesses surveyed said that a technology acquisition was the top priority for their M&A activity, and 62% agreed there was a significant cybersecurity risk by acquiring new companies.
Risks associated with Mergers & Acquisitions
What risks are associated with mergers and acquisitions? There are several that include but are not limited to the following:
Increased regulatory scrutiny
Inherited cybersecurity risks
Compromised accounts and passwords
Lost or damaged customer confidence
Data breaches in the acquired environment
Increased regulatory scrutiny
Compliance regulations, like cybersecurity, are growing more complex and challenging for businesses. For example, regulators scrutinize business deals, including mergers and acquisitions, to help protect the growing emphasis on data sovereignty and data privacy.
From a cybersecurity perspective, businesses that merge or acquire other organizations must make sure data compliance is a top priority to prevent fines for non-compliance.
Inherited cybersecurity risks
Companies must realize that even if they have a robust cybersecurity posture for their organization, the security dynamic can completely change with mergers and acquisitions. As a result, they inherit the cybersecurity challenges and issues of the acquired business.
The acquiring company inherits existing vulnerabilities, standards, risks, and cybersecurity liability as they assume control of the new business.
Compromised accounts and passwords
As was the case with the Colonial Pipeline hack in May 2021, compromised account passwords are often the culprit behind major data breaches and ransomware attacks. As a result, businesses must understand securing acquired accounts and directory services immediately and implementing breached password protection is a priority.
Scanning the newly acquired environment for password vulnerabilities, reused passwords, breached passwords, and other password threats can help to quickly bolster the cybersecurity stance of the acquired user account assets.
Businesses that have combined due to a merger or acquisition may federate Active Directory accounts between them to access various resources. Password synchronization between on-premises and cloud directory services may also be in play. It further emphasizes the need to strengthen password security as accounts are granted access to additional business-critical resources.
Lost or damaged customer confidence
Businesses must take care of any merger or acquisition from a customer perspective. Any misstep, including handling cybersecurity during an acquisition or merger, can lead to customer mistrust and lost business.
Data breaches in the acquired environment
As mentioned earlier, the acquiring company that has merged or acquired another company inherits the cybersecurity challenges and risks of the newly acquired environment. These risks include any potential data breaches. Knowledge of a data breach event can even stall or block a potential merger or acquisition once known. Data breach events can also go undisclosed to prevent any issues with the merger or acquisition.
Cybersecurity and compliance checklist for M&A

Form an M&A cybersecurity team
Review the target business cybersecurity posture
Inventory all physical, digital, and data assets of the target organization
Revisit the risk assessment
Engage a third-party security company
1 — Form an M&A cybersecurity teamBusinesses often have excellent reasons for engaging in M&A activity. However, as discussed thus far, it can lead to additional cybersecurity risks. Forming an M&A cybersecurity team is a great idea to accelerate addressing the cybersecurity tasks involved with the M&A. This team may report to the CIO and should undoubtedly include cybersecurity leaders found on the security teams and key business leaders within the organization.
This team will be directly responsible for formalizing the reporting structure for addressing the cybersecurity risks discovered with the M&A activity. The team will also help to align the overall business on both sides for a consistent cybersecurity posture.
2 — Review the target business cybersecurity posture
The M&A cybersecurity team mentioned above will be instrumental in reviewing the target business cybersecurity posture. The review of the target organization’s cybersecurity landscape should include:
A cybersecurity risk assessment
Review of security policies and procedures
Recent audit reports
Any breach reports that have happened recently or in years past
Audit of accounts and account access permissions across the organization
3 — Inventory all physical, digital, and data assets of the target organizationTo properly understand the cybersecurity risk involved with an M&A of another organization, businesses must understand the complete inventory of all physical, digital, and data assets. Understanding and having a comprehensive inventory of these items allow full disclosure of the cybersecurity risks involved.
4 — Revisit the risk assessment
Any M&A activity means an organization needs to revisit its risk assessment. Even a recent risk assessment has now changed due to the reasons we have already covered (inherited cybersecurity risk, any security or compliance challenges, etc.).
5 — Engage a third-party security company

The M&A cybersecurity team may include a wide range of technical expertise with a wealth of experience in many cybersecurity disciplines. However, even with talented team members, organizations may opt to engage a third-party security company with the technical and staffing resources to help with cybersecurity discovery, remediation, combining security resources, and many other tasks.
Quickly manage M&A password security during
Password and account security can be challenging to manage and secure during a merger or acquisition of multiple companies. Specops Password Policy provides organizations with tools to secure their native Active Directory infrastructure and any other directory services they may manage.
One of the blind spots with any merger or acquisition can be weak, reused, or even breached passwords lurking as a hidden cybersecurity threat. Specops Password Policy provides Breached Password Protection that provides continuous scanning and alerting of any breached accounts found in the environment.
Organizations can quickly remediate any lax password policies found in the target organization with Specops Password Policy. It provides the following features:
Multiple custom dictionary lists
Breached Password Protection, protecting against over 2 billion breached passwords. This protection includes passwords found on known breached lists as well as passwords being used in attacks happening right now
Easily find and remove compromised passwords in your environment
Informative end-user client messaging that is intuitive during password changes
Real-time, dynamic feedback at password change with the Specops Authentication client
Length-based password expiration
Customizable email notifications
Block user names, display names, specific words, consecutive characters, incremental passwords, and reusing a part of the current password
GPO-driven targeting for any GPO level, computer, user, or group population
Passphrase support
Over 25 languages supported
Use Regular Expressions for further password filter customization
Specops Password Policy Breached password protection
By bolstering password security in target environments, businesses can protect mergers and acquisitions from one of the most common vulnerabilities leading to compromise. Learn more about or start a free trial of Specops Password Policy tools with Breached Password Protection.