An alternative integration strategy in the era of heightened cybersecurity risks

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #99689
    Mark Butikofer
    Participant

    Historically, a “standalone” acquisition made sense for a variety of business reasons – and still does.

    The question is raised concerning whether the target company, post-Close, should continue on with their existing IT environment & Cybersecurity program & practices – assuming they have a formal Cybersecurity program – independent of the Parent company’s IT -and- especially, relating to cybersecurity standards and governance.

    When there is not a significant interplay / interaction / collaboration between the acquired company and the enterprise, the business unit may assess the significant costs related to IT infrastructure integration (adopting the parent companies IT infrastructure standards -and- changing out the target’s IT infrastructure to be in alignment with the parent company) and report to the IT Leads of the M&A Deal and state “we’re going to keep them independent, on their own IT infrastructure & Systems”.

    The challenge for any publicly held corporation is that the inherent risks & issues of the target company becomes the parent companies concern whether or not they’re integrated. Large enterprises often have enterprise policies & procedures supported by cybersecurity directives, IT controls & policies. For the larger enterprise, significant investments have been made in developing & connecting the enterprise procedures to the cybersecurity directives and IT compliance controls to the actual configuration and management of IT infrastructure and systems.

    An acquired company will likely be held accountable to the same level of standards, policies and controls as the broader enterprise. e.g. If there was a major security breach following post-Close, would the parent companies name show up in the news and risk damaging the Brand? Increasingly, companies are required to report material cybersecurity incidents (reference: https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214).

    Many smaller companies acquired by large companies don’t have formal cybersecurity programs, and even mid-to-larger private companies have weaknesses in comparison to the parent company. Here’s a potential solution – there are a lot of benefits to consider for the target company adopting the parent companies IT infrastructure & cybersecurity standards, processes, and policies. Up front, the costs can be significant, but over the longer term the smaller company will benefit by leveraging the strengths of the parent company’s investments in IT infrastructure & cybersecurity management -and- the corporate shared services model.

    Thus, you can have, from a business integration standpoint, a “standalone” company, but one that’s leveraging the parent companies IT infrastructure and cybersecurity capabilities. Oftentimes, the corporate IT group can provide shared services which reduces the costs to bring enterprise level practices to an acquisition.

    Every target needs to be considered individually – particularly their IT and Cybersecurity management capabilities. e.g. there may be some firms which have invested in top-notch IT and cybersecurity management practices -and- could potentially continue to support their own business – independent of the parent company IT organization.

    An evolving model suggest a company could have a “arm’s length” business integration which is still leveraging a corporate-driven & supported IT infrastructure and cybersecurity implementation.

Viewing 1 post (of 1 total)
  • You must be logged in to reply to this topic.

Are you sure you
want to log out?

Book a Demo

Book a Demo

    Request a Brochure

      Request a Brochure

      Contact us to discuss your goals and needs!

      Contact us to discuss your goals and needs!

      In order to become a charterholder you need to complete one of the IMAA programs