Вы находитесь на странице: 1из 6

2/8/2020 The Role of Information Security in a Merger/Acquisition

https://www.bankinfosecurity.com/

The Role of Information Security in a


Merger/Acquisition
Tom Field ( SecurityEditor) • June 3, 2008     11 minutes   

Mergers and acquisitions are a way of life for nancial institutions, and so many
pertinent business issues bubble up whenever an M&A is discussed.
But when does information security enter the discussion?

Not early enough, says Nalneesh Gaur of Diamond Management & Technology Consultants.
In this interview, Gaur discusses the importance of information security in an M&A, sharing
his insight on:

When information security should enter the M&A discussion;


Who should lead that discussion;
7 key questions to ask re: information security in an M&A activity.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group.
The topic today is security in a merger or acquisition, and we are talking with Nalneesh
Gaur, principal with Diamond Management and Technology Consultants. Nalneesh, thanks
so much for joining me today.

NALNEESH GAUR: Glad to be here, Tom.

FIELD: Now this topic is coming up in timely fashion with the news about Wachovia
yesterday. We could be looking at future mergers and acquisitions before long. I wanted to
ask you, just for setting the context, at what point in a merger and acquisition discussion
does information security typically emerge?

GAUR: Right. Unfortunately the answer is often too late. We've seen cases where as soon
Our website uses cookies. Cookies enable us to provide the
as M&A's are announced, the attackers out there start to scam the network of the merging
×
best experience possible and help us understand how visitors
companiesuse
for vulnerabilities.
our You bankinfosecurity.com,
website. By browsing see, most mergingyou organizations
agree are focused on assets,
liabilities, tonance,
our usepatents,
of cookies.etc., and information security tends to be an overlooked area

https://www.bankinfosecurity.com/interviews/role-information-security-in-mergeracquisition-i-119 1/6
2/8/2020 The Role of Information Security in a Merger/Acquisition

during the M&A due diligence phase. Although there are signs that the trend is changing for
the better based on our own experience and those of our peers, but I don't think we are
there yet.

FIELD: Now I should mention also that you are the Chief Information Security Architect for
Diamond Management and Technology Consultants, so you have got a horse in this race, so
to speak. At what point in an M&A discussion should the topic of information security come
up?

GAUR: Information security should be part of the due diligence process just as intellectual
property became part of due diligence in the 1980's.

Let me explain by sharing an example. In September of 2004 Lexis-Nexis purchased Seisint.


Soon after, about 32,000 Seisint customer accounts were stolen, including celebrities such
as Paris Hilton and Arnold Schwarzenegger. Uncovering this information [risk] before the
merger could have prevented the disaster. Another example, there should be no doubt that
the consequences can be devastating for both merging and merged organizations in terms
of loss of reputation, customer turn and noti cation costs should personal information be
compromised.

Let me also stress that the objective of information security due diligence is not to rubber
stamp the transaction, but actually provide the business with a complete picture of
information risk so that then they can make the right types of decisions.

FIELD: Now, Nalneesh I know that you have developed some advice for nancial institutions
that might be in an M&A procedure. Could you share with us what you told me are your
seven key questions?

GAUR: Right. So we developed seven questions to guide the executive thinking on M&A
information security. The questions delve into what we think are often overlooked aspects
of information security during an M&A.

Our rst question actually takes the top down view and it's about--well, let me state the
question. How do we align our information security policies? So, really companies have
Our website uses cookies. Cookies enable us to provide the
three options here. One is they would opt one policy is worth [more than] the other, the
×
best experience possible and help us understand how visitors
second is use
to write the policies
our website. frombankinfosecurity.com,
By browsing scratch, and the third one is to consolidate the policies.
you agree
And what to
weour
feel
useisofthat given the policies evolve over time, the last option, which is
cookies.

https://www.bankinfosecurity.com/interviews/role-information-security-in-mergeracquisition-i-119 2/6
2/8/2020 The Role of Information Security in a Merger/Acquisition

consolidation, is usually the way to go. Once policies are aligned, then gaps must be
assessed to develop a new information security strategy and then take it from that point
forward.

The second question is focused on access. Here banks should be asking what measures
should we take to rationalize identity and access for employees and contractors? There are
big rami cations here because 1) neglected network connections between the trusted
partners, often the merging and merged banks, could wreak havoc. And then secondly, but
most importantly, as their jobs are eliminated, former employees with detailed knowledge
of internal systems may pose a threat, too. So at the network level we are talking about
reviewing and cleaning out rewall rules for both wired and wireless typologies. But access
control must also be reviewed, as systems applications and database software and any
revoked access and terminated employees must be cleaned out. Something really basic, yet
sadly enough we see this so often that we should point it out. And then one other thing that
I would like to point out here is we should call out that for publicly traded banks, user
access control testing is also part of the SOX testing, which is done only for the nancially
relevant systems, and for this banks should rst rationalize the new list of SOX-relevant
systems and then perform user access testing on those systems. So, that was our second
question.

Our third question is focused on the customer, and here the nancial institution should be
asking, how should we maintain the customer trust? So rst there is a case of e ciency.
Even if you don't look at security, just looking at a vision, say, customers simply expect it. But
from a security perspective, information security executives should take every measure to
prevent social engineering attacks, including a time to educate customers and customer-
facing personnel. After all, you don't want a scenario where a phisher cons a customer into
providing the information in the guise of reconciling identities.

The fourth question has to do with the incident response. Here businesses should be
asking how should we integrate our monitoring and incident response capabilities? It is
paramount here that merging banks respond swiftly and in a coordinated manner to
information security incidents, otherwise we could have two sides pointing ngers at each
other while the
Our bad guys
website continue
uses cookies. to cause
Cookies enabledamage. In the
us to provide addition to the obvious fallout,
incidents could undermine theand
trust between the two
×
best experience possible help us understand how parties
visitors and make Wall Street skittish
use our website. By browsing bankinfosecurity.com, you agree
to our use of cookies.

https://www.bankinfosecurity.com/interviews/role-information-security-in-mergeracquisition-i-119 3/6
2/8/2020 The Role of Information Security in a Merger/Acquisition

about the deal in general. Also, as it relates to the recent Red Flag Ruling, the incident
response plan and technology dependencies will need to be devised for the newly merged
bank.

Our fth question is about protecting sensitive information, including the personally
identi able information, or something that is popularly known as PII. And the question here
is, what is the short and long term endpoint security solution for the combined enterprise?
And I must admit that this is one of the most technical of the seven questions. By endpoint
we mean devices such as desktops, laptops and smartphones, however, given the focus of
nancial institutions on preventing identity theft, this area deserves special attention, and
that is why I am bringing it up. It is likely that one of the merging organizations has a weak
endpoint security solution, and the weak side introduces several vulnerabilities that must
be addressed both in the short term and long term. Note that this also has policy
implications.

The sixth question is focused on vendors. We must not forget that vendors play a major
role in inspecting our banks information assets. So the question here is, what information
security standards should we stipulate for our vendors, and how should we enforce them?
The idea here is to apply the right amount of rigor by specifying and enforcing the vendor
standards or adopting a new approach to vendor information security management.

Now the seventh and the last question is on governance. And here the bank should ask,
who will/how will information security be governed? So here the idea is to make sure that
roles and responsibilities are well de ned, the size of the merged information security
organization is rationalized, and then the compositions of the decision making committees
or any type of information security workgroups are de ned.

So, CISO's, CSO's and other information security leaders should be asking these key
questions during the M&A due diligence stage. So those are my seven questions, Tom, that
I would think that most leaders should be thinking about.

FIELD: That's good. I'm sitting here thinking to myself, okay, identify theft, red ags, vendor
management, incident response and you are ticking them o one by one, so you are hitting
all the issues
Our Iwebsite
thoughtusesyou probably
cookies. would
Cookies enablehit.
us to provide the

×
best experience possible and help us understand how visitors
useask
Now let me ouryou,
website. By browsing
of these bankinfosecurity.com,
questions, where do you you agree
typically nd institutions being
to our use of cookies.
strong, and what might they be overlooking in following through those points?
https://www.bankinfosecurity.com/interviews/role-information-security-in-mergeracquisition-i-119 4/6
2/8/2020 The Role of Information Security in a Merger/Acquisition

GAUR: You know, actually I think that of the seven questions the last one probably gets
addressed mostly, and the other areas tend to be ignored in one fashion or the other.
Because when organizations are merging, people are thinking about how the groups�well,
the rst thing they are thinking about is how do we organize our groups, what is the work
structure going to look like, but the other areas tend to get overlooked such as access
management, customer perspective, the vendor management. That is what I would say, and
that is the reason why we listed the others, but even in the governance area things like the
di erent committees and how decisions are made, if those things are done early enough,
then I think banks would be very successful.

FIELD: When information security does come up as a discussion point, who do you nd is
typically leading the discussion, and who should be leading that discussion?

GAUR: That is a really good question, Tom. Business should advise the information security
due diligence, but much of the legwork must be done by information security and IT
security folks. But more speci cally, businesses involved in understanding information risk
and making the decisions to accept, mitigate or transfer risk. You know, these are typical
ways to treat a risk and business makes those decisions. Information security accesses,
oversees and interprets information risks and IT security performs assessment of IT
controls. So that in a nutshell is how we think or see di erent groups play the di erent
roles.

Now in a particular organization they might be structured di erently, but by and large there
should be groups within the organization that are addressing these three areas. In a
business, of course, there are di erent groups that are focused on business, but a group
that is focused on information security and another group that is probably focused on IT
security.

FIELD: So, if you could boil it all down to a piece of advice, Nalneesh, if my institution is
embarking on a new M&A activity, what should I do rst to ensure that information security
is paid the attention that it is due?

GAUR: What we would say is involve the information security during the due diligence
process toOur
uncover
websiteinformation risk exposures
uses cookies. Cookies toprovide
enable us to the combined
the enterprise. Act swiftly on

×
best experience possible and help us understand how visitors
risk mitigation measures that business approves; there is no point in delaying that.
use our website. By browsing bankinfosecurity.com, you agree
to our use of cookies.

https://www.bankinfosecurity.com/interviews/role-information-security-in-mergeracquisition-i-119 5/6
2/8/2020 The Role of Information Security in a Merger/Acquisition

Also, M&A information security is not an act of individual heroism. So this isn't something
where you give it to one person and expect them to back after three weeks and expect it all
to be done. What you need here is dedicated objective experience resources to ensure
M&A success. We say this because in this day and age security breaches can be expensive,
resulting in lost customers and damaged reputation; therefore, we feel that it takes to
understand information before a merger.

FIELD: Makes sense. Nalneesh, it's good, timely advice and I appreciate your time and your
insight today.

GAUR: Thank you, Tom. I enjoyed the conversation.

FIELD: We've been talking with Nalneesh Gaur, Principal with Diamond Management and
Technology Consultants. The topic has been information security in an M&A. For
Information Security Media Group, I'm Tom Field. Thank you very much.

© 2020 Information Security Media Group, Corp. https://www.bankinfosecurity.com/ Toll Free: (800) 944-0401

Our website uses cookies. Cookies enable us to provide the

×
best experience possible and help us understand how visitors
use our website. By browsing bankinfosecurity.com, you agree
to our use of cookies.

https://www.bankinfosecurity.com/interviews/role-information-security-in-mergeracquisition-i-119 6/6

Вам также может понравиться