Company mergers are acquisitions (M&A) are on the upswing in keeping with the latest EY-Parthenon Deal Barometer, which predicts a 12% improve in company M&A exercise in 2024. There are quite a lot of the reason why organizations are being acquired and/or merging, however EY claims a part of the rise is because of organizations bolstering their product portfolios with AI and different applied sciences. Regardless of the explanations, organizations have a accountability to not solely their stakeholders, but additionally their clients, to prioritize information due diligence previous to a merger or acquisition.
What occurs to delicate buyer and company information must be a high concern for organizations. The query is whether or not information governance and cybersecurity finest practices are taking a backseat as firms undergo the tumultuous means of merging with one other group or an acquisition. The significance of adhering to cybersecurity and information governance finest practices previous to an M&A might be an efficient technique to mitigate the affect and fallout from an information breach and make sure the safety of a company’s buyer and company information.
M&Successful depends upon information governance finest practices
The significance of knowledge due diligence through the acquisition course of, together with evaluation of safety controls and protections, was within the highlight in 2018 when Marriott announced it was hit with one of many largest information breaches in historical past – affecting about 500 million – after its acquisition of Starwood Lodges.
For not less than 4 years, hackers had entry to a database belonging to Starwood Lodges and Resorts, which Marriott acquired in 2016. The breach affected greater than 130 million information, in keeping with courtroom paperwork. The category motion lawsuit(s) are nonetheless winding their manner by the courts.
Not solely was private info compromised, so was the model fairness Marriott spent many years constructing. The breach additionally made it clear that information governance and administration, in addition to cybersecurity protections, should be a high precedence earlier than the ink is dry on an acquisition or merger deal. Regardless of the {industry}, organizations being acquired should additionally spend the time and sources conducting due diligence on the acquirer as a result of within the case of a breach, they will also be held chargeable for non-compliance and/or violations of shopper privateness legal guidelines, together with the GDPR and the California Shopper Privateness Act (CCPA). The corporate being acquired ought to consider the buying group’s information privateness practices, insurance policies, and compliance historical past in addition to make sure the buying group has sufficient information safety measures in place. The group must also work with the acquirer to develop a plan for integrating information privateness practices between the 2 organizations.
Preparation priorities for firms being acquired
When firms merge or are acquired, dealing with information appropriately is crucial to make sure compliance with authorized rules, information integrity, and the safety of buyer and firm info. It’s crucial for firms to observe finest practices previous to a merger or acquisition to make sure the safety of each buyer and company date, which incorporates:
- Knowledge Asset Audit:
- Performing an audit identifies all information belongings, together with buyer info, mental property, worker information, and operational information
- It additionally evaluates the accuracy, completeness, and relevance of the information and pinpoints delicate info that requires particular dealing with, resembling private information, monetary info, and proprietary enterprise info
- Keep Authorized and Regulatory Compliance:
- Consider the buying group’s information privateness practices, insurance policies, and compliance historical past
- Evaluate related information safety legal guidelines and rules, resembling GDPR, CCPA, or industry-specific necessities
- Study current contracts to establish data-related obligations and restrictions
- Be certain that applicable consents have been obtained for information use, particularly if information will probably be utilized in new methods post-merger
- Prioritize Knowledge Safety
- Carry out an intensive safety evaluation to establish potential vulnerabilities and limit entry to delicate information to approved personnel solely
- Guarantee strong safety measures are in place, resembling encryption, entry controls, and monitoring
- Set up strong community safety measures, resembling firewalls, intrusion detection programs, and safe communication channels
- Create and/or replace an information breach response plan to deal with potential safety incidents
- Develop a Knowledge Integration Plan
- Map out how information from each organizations will probably be built-in, together with matching information codecs and buildings
- Clear and de-duplicate information to make sure consistency and keep away from storing redundant info
- Work with the buying firm to develop an information migration course of, together with timelines, sources, and instruments required
- Knowledge Retention and Disposal
- Do overview and align information retention insurance policies between the organizations
- Guarantee solely obligatory information which should be retained for authorized, monetary and compliance functions is retained, and redundant, out of date and trivial (ROT) information is disposed of correctly utilizing auditable information sanitization
- Talk Clearly with Stakeholders
- It’s necessary to maintain workers knowledgeable about how information will probably be dealt with, any modifications to information entry, and safety protocols
- It’s equally necessary to promptly notify clients concerning the merger or acquisition and clarify how their information will probably be used and guarded
- Lastly, inform related regulatory authorities concerning the merger or acquisition and any modifications to information dealing with practices
The concentrate on cybersecurity and information governance doesn’t finish as soon as the merger or acquisition is full. The acquirer should set up a unified information governance framework that features information possession, insurance policies, and procedures. And in the event that they haven’t already, the group ought to set up a brand new “steward” or information safety officer who will personal the administration and safety of knowledge, together with the implementation of steady monitoring to make sure compliance with information insurance policies and rules.
Acquirers and organizations being acquired can higher handle legal responsibility for information breaches throughout mergers by creating and executing an information due diligence plan based mostly on {industry} finest practices. Not solely will each entities safeguard their operations and model repute, they are going to keep the stakeholder belief that took years or many years to domesticate and lay the groundwork for fulfillment post-acquisition.
In regards to the writer
Fredrik Forslund presently serves as Vice President and Normal Supervisor of Worldwide Gross sales for Blancco Technology Group. Fredrik brings over 20 years of expertise in IT safety. This consists of most not too long ago main Blancco’s information middle and cloud erasure initiatives and earlier than that, founding SafeIT, a safety software program firm specializing in encryption and selective information erasure. His expertise additionally consists of serving as a administration guide for McKinsey & Firm.
Join the free insideAI Information newsletter.
Be a part of us on Twitter: https://twitter.com/InsideBigData1
Be a part of us on LinkedIn: https://www.linkedin.com/company/insideainews/
Be a part of us on Fb: https://www.facebook.com/insideAINEWSNOW
