Mergers and Acquisitions: What About Security?Tips to Ensure Risk Management Isn't Lost in the Shuffle of Other Transitional Issues What happens to information security when a financial institution is involved in a merger or acquisition?
For Bill Poatevint, Information security officer at United Community Banks, Inc (UCBI), an 8.1 billion, multi-bank holding company based in Georgia, the answer is short: "Everything comes to a screeching halt!" he says. Poatevint was involved in a recent merger and acquisition (M&A) when GB&T Bancshares Inc. (Where Poatevint was previously employed as an information security officer) was taken over by Sun Trust bank, based in Atlanta, in November of 2007, and the closing was finally completed in August of 2008.
In an employee meeting, Poatevint was given the M& A news and to his surprise nothing else was mentioned any time later regarding security controls/ongoing projects/data migration etc. "Strangely, I was just sitting there waiting for someone to get me involved," says Poatevint.
Remote Deposit Capture was one of the projects Poatevint was working on, and it came to a sudden halt without any due diligence or team discussion. Sun Trust bank's IT and Security team came in after a month the M&A was announced and looked into data migration, existing security policies and programs. But there was no exchange of communication between team members (except at the very high level) at the acquiree and acquired institution. The attitude was more in lines of "let's get this over with". By March 2008, most of GB&T employees knew that they would be getting laid off, and they had time until August to look for new jobs.
This is one of the typical M&A scenarios at a financial institution where employees, especially at the acquiree end, feel intruded, left out and suddenly an outsider in their own work place. What is often missing is an entire history of crucial details pertaining to security controls, customer privacy, risk profile, audit and regulatory compliance along with open communication and planning, which needs to be part of every M&A event.
"Security in an M&A works best when it is invited to discussion at the table as early as possible," says Kenneth Newman, a Bank Security Expert with ISACA who has been part of several M&A episodes within financial institutions. Newman further adds that high-level discussions need to take place from the IT and security perspective as soon as the M&A is announced, which then results in creating an efficient due diligence team together that is mainly responsible for:
- Creating a framework in place to level set and measure security controls every step of the way;
- Performing a gap analysis to know where the overlaps and gaps are and accordingly create action plans to eliminate those gaps and open holes;
- Identifying what the essential security risks are in moving information, analyzing how risks are assessed, creating a risk profile of the changed/ new controls
- Identifying the key security areas/ processes that need immediate attention and focus based on logical rationalization of what supports the business and its various processes;
- Looking into how data can be migrated within set security controls and parameters around defined assets;
- Analyzing new controls that need to be implemented and strengthened in the combined new entity;
- Ensuring that incident response and detection are effectively monitored, coupled with content monitoring and filtering to avoid being prime target for security incidents and fraud;
- Ensuring that auditors and compliance team are involved in the process typically examining standards and matching frameworks, understanding the change of controls and risk involved in this integration process and evaluating relevant audit and regulatory examination documents;
- Evaluating security projects which are active and ongoing at the acquiree institution by coming together as a security department, analyzing all projects on the table and then making business decisions based on risk profile, projects overlap etc.
Aspects of information security and customer privacy that are often overlooked (at the acquiree end) in an M&A at a bank or financial institution include:
Data repository and data storage area- Most institutions have an IT foundation in place, implementing appropriate controls, an effective software development life cycle methodology (SDLC) ensuring regulatory compliance. But often the distribution and control around personal information and critical asset mapping of data repository capture is overlooked. For example, institutions usually look at historical areas for integrating controls, but often forget to map isolated departments such as marketing, which carries confidential customer information and has its own control. Here the strength of the controls come in question becomes vulnerable to security incidents and compromise of valuable information.
External connectivity and external points of entry to and from the organization in terms of third party vendors, business partners etc. Institutions should look into investing in understanding and monitoring these controls more effectively.
Management and senior IT/security executives such as the chief information officer (CIO) or the chief information security officer (CISO) play a significant role in ensuring that security gets its due share of attention and focus in an M&A and is part of the new business plan and objectives of the combined institution. They typically need to address questions such as: What does this change in the organization toward risk profile, tolerance, strategy and direction? How does this change the overall security and business program and processes within the institution? They cannot think only from a technical perspective, but need to incorporate business logic and thought in their leadership approach.
Communicate with employees openly and realistically - notifying them of expected changes ahead and getting them involved in the whole M&A process to ensure that employees do not feel disgruntled, let down or isolated, which can eventually lead to grievances and actions taken by individuals, causing irreparable damage to the firm.