Cyber Risks During Mergers & Acquisitions
During a merger or acquisition, insurance policies and finances need to be scrutinized and the future of employees addressed. But one big, important risk often put on the back burner is cyber security. It’s unfortunate because a merger or acquisition is a time when company data is at its most vulnerable. Data transfers must proceed without a hitch, or a company can risk damaging their reputation, losing clients and hurting future sales. Additionally, legal responsibilities must be upheld before, during and after the data transfer process.
Use the following checklist to ensure you’ve covered all of your cyber security bases:
- Identify all data assets that will need to be transferred.
- Gather and merge all data standards, policies and processes from employees at both companies.
- Identify potential risks that could occur during data transfer.
- Prior to any data transfers, ensure data is backed up.
- Run background checks on any employee who will be involved in the data transfer process.
- Craft a business continuity plan to prepare for potential data loss or outages during the period when the transfer will be occurring.
- Assign one high-level person the job of overseeing all data transfers. They will have the task of dividing and conquering by assigning one person to each data asset that needs to be transferred.
- Legally transfer ownership of data assets as quickly and completely as reasonably possible.
- Host training sessions on new data standards, policies and processes.
- Update disaster recovery plans, business continuity plans and emergency plans to include newly acquired data assets.
- Update the risk profiles for newly acquired assets.
Preparing for Data Transfer
Planning for data transfer should begin as early in the merger or acquisition process as possible. It’s wise to assign one person the task of overseeing all data transfers so that there’s little room for miscommunication or error. That person can then delegate smaller tasks, such as identifying data assets, identifying potential risks during transfer and making sure the data transfer is in compliance with federal or provincial law. This person should also manage the implementation of the interim business continuity plan so that daily operations are disturbed as little as possible.
Good Practices for Data Transfer
Even if your company is completely prepared for the data transfer, it’s still possible that issues will arise during the process. Here are some good practices to utilize to minimize these risks:
- Try to avoid using any kind of removable media to transfer data from one place to another. If the only method you can use is removable media, then take extreme care to be sure all records are encrypted, especially if they involve personal information.
- If you have any data that isn’t getting transferred, you should dispose of it safely and completely to ensure it cannot be stolen.
- Do not try to move all data at one time. Set small goals to complete every day or week to prevent an overload on your system or large, messy mistakes.
- Consider halting some of your company’s cyber services until all data has been switched over in order to protect the services from being adversely affected by the transfer. Another option would be to run a similar service until data has been transferred.
- Increase protective monitoring systems to prepare for the possibility of a disgruntled employee. Mergers and acquisitions are scary, uncertain times for employees, whose roles are often modified or eliminated to accommodate a new company structure. Update all clearances and access capabilities for employees based on new roles and duties.
Safe and secure data transfer during a merger or acquisition is of utmost importance. Communication is crucial during this time and basic duties and responsibilities should be quickly laid out. Importantly, ensure your new and existing clients know that you’re keeping their data safe.
- A Risky Game of Hide and Seek
- Top Three Due Diligence Items When Acquiring a Staffing Agency or PEO
- Cyber & Privacy Liability: Part 1 Webcast
- Cyber & Privacy Liability: Part 2 Webcast
- Cyber Liability for PEOs
- Cyber Takes Two to Tango
- It’s Not About the Money: Sony’s Cyber Attack
- Modeling Cyber Exposure
ABOUT THE AUTHOR