- This topic has 2 replies, 3 voices, and was last updated 1 week, 2 days ago by
.
-
Posts
-
Historically, a “standalone” acquisition made sense for a variety of business reasons – and still does.
The question is raised concerning whether the target company, post-Close, should continue on with their existing IT environment & Cybersecurity program & practices – assuming they have a formal Cybersecurity program – independent of the Parent company’s IT -and- especially, relating to cybersecurity standards and governance.
When there is not a significant interplay / interaction / collaboration between the acquired company and the enterprise, the business unit may assess the significant costs related to IT infrastructure integration (adopting the parent companies IT infrastructure standards -and- changing out the target’s IT infrastructure to be in alignment with the parent company) and report to the IT Leads of the M&A Deal and state “we’re going to keep them independent, on their own IT infrastructure & Systems”.
The challenge for any publicly held corporation is that the inherent risks & issues of the target company becomes the parent companies concern whether or not they’re integrated. Large enterprises often have enterprise policies & procedures supported by cybersecurity directives, IT controls & policies. For the larger enterprise, significant investments have been made in developing & connecting the enterprise procedures to the cybersecurity directives and IT compliance controls to the actual configuration and management of IT infrastructure and systems.
An acquired company will likely be held accountable to the same level of standards, policies and controls as the broader enterprise. e.g. If there was a major security breach following post-Close, would the parent companies name show up in the news and risk damaging the Brand? Increasingly, companies are required to report material cybersecurity incidents (reference: https://www.sec.gov/news/statement/gerding-cybersecurity-disclosure-20231214).
Many smaller companies acquired by large companies don’t have formal cybersecurity programs, and even mid-to-larger private companies have weaknesses in comparison to the parent company. Here’s a potential solution – there are a lot of benefits to consider for the target company adopting the parent companies IT infrastructure & cybersecurity standards, processes, and policies. Up front, the costs can be significant, but over the longer term the smaller company will benefit by leveraging the strengths of the parent company’s investments in IT infrastructure & cybersecurity management -and- the corporate shared services model.
Thus, you can have, from a business integration standpoint, a “standalone” company, but one that’s leveraging the parent companies IT infrastructure and cybersecurity capabilities. Oftentimes, the corporate IT group can provide shared services which reduces the costs to bring enterprise level practices to an acquisition.
Every target needs to be considered individually – particularly their IT and Cybersecurity management capabilities. e.g. there may be some firms which have invested in top-notch IT and cybersecurity management practices -and- could potentially continue to support their own business – independent of the parent company IT organization.
An evolving model suggest a company could have a “arm’s length” business integration which is still leveraging a corporate-driven & supported IT infrastructure and cybersecurity implementation.
Hi Mark,
You bring up an essential point about integrating IT and cybersecurity post-acquisition, particularly when considering whether an acquired company should continue with its existing IT environment and cybersecurity practices or integrate into the parent company’s infrastructure.
While there are certain scenarios where maintaining a standalone IT system for the acquired company might seem beneficial, it’s crucial to understand the significant risks it introduces, especially for publicly held corporations. As you rightly pointed out, any cybersecurity incidents in the acquired company could have far-reaching consequences, impacting the parent company’s reputation and potentially leading to regulatory scrutiny.
Ultimately, the strategy should be flexible enough to provide security and integration where necessary while allowing autonomy where it is safe and beneficial. This “arm’s length” integration approach could be the optimal solution, balancing the need for control and oversight with the benefits of independence.
This is a critical topic to address given the significant risk to cyber security. Tackling this with “forensic” IT information security assessments is just the beginning of the journey and the ability to mitigate gaps quickly is the second priority. In most cases, we eventually need to install a new network in the target companies location to provide the appropriate protection of sensitive data.
- You must be logged in to reply to this topic.
