The Role of Information Security in a Merger/Acquisition
But when does information security enter the discussion?
Not early enough, says Nalneesh Gaur of Diamond Management & Technology Consultants. In this interview, Gaur discusses the importance of information security in an M&A, sharing his insight on:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is security in a merger or acquisition, and we are talking with Nalneesh Gaur, principal with Diamond Management and Technology Consultants. Nalneesh, thanks so much for joining me today.
NALNEESH GAUR: Glad to be here, Tom.
FIELD: Now this topic is coming up in timely fashion with the news about Wachovia yesterday. We could be looking at future mergers and acquisitions before long. I wanted to ask you, just for setting the context, at what point in a merger and acquisition discussion does information security typically emerge?
GAUR: Right. Unfortunately the answer is often too late. We've seen cases where as soon as M&A's are announced, the attackers out there start to scam the network of the merging companies for vulnerabilities. You see, most merging organizations are focused on assets, liabilities, finance, patents, etc., and information security tends to be an overlooked area during the M&A due diligence phase. Although there are signs that the trend is changing for the better based on our own experience and those of our peers, but I don't think we are there yet.
FIELD: Now I should mention also that you are the Chief Information Security Architect for Diamond Management and Technology Consultants, so you have got a horse in this race, so to speak. At what point in an M&A discussion should the topic of information security come up?
GAUR: Information security should be part of the due diligence process just as intellectual property became part of due diligence in the 1980's.
Let me explain by sharing an example. In September of 2004 Lexis-Nexis purchased Seisint. Soon after, about 32,000 Seisint customer accounts were stolen, including celebrities such as Paris Hilton and Arnold Schwarzenegger. Uncovering this information [risk] before the merger could have prevented the disaster. Another example, there should be no doubt that the consequences can be devastating for both merging and merged organizations in terms of loss of reputation, customer turn and notification costs should personal information be compromised.
Let me also stress that the objective of information security due diligence is not to rubber stamp the transaction, but actually provide the business with a complete picture of information risk so that then they can make the right types of decisions.
FIELD: Now, Nalneesh I know that you have developed some advice for financial institutions that might be in an M&A procedure. Could you share with us what you told me are your seven key questions?
GAUR: Right. So we developed seven questions to guide the executive thinking on M&A information security. The questions delve into what we think are often overlooked aspects of information security during an M&A.
Our first question actually takes the top down view and it's about--well, let me state the question. How do we align our information security policies? So, really companies have three options here. One is they would opt one policy is worth [more than] the other, the second is to write the policies from scratch, and the third one is to consolidate the policies. And what we feel is that given the policies evolve over time, the last option, which is consolidation, is usually the way to go. Once policies are aligned, then gaps must be assessed to develop a new information security strategy and then take it from that point forward.
The second question is focused on access. Here banks should be asking what measures should we take to rationalize identity and access for employees and contractors? There are big ramifications here because 1) neglected network connections between the trusted partners, often the merging and merged banks, could wreak havoc. And then secondly, but most importantly, as their jobs are eliminated, former employees with detailed knowledge of internal systems may pose a threat, too. So at the network level we are talking about reviewing and cleaning out firewall rules for both wired and wireless typologies. But access control must also be reviewed, as systems applications and database software and any revoked access and terminated employees must be cleaned out. Something really basic, yet sadly enough we see this so often that we should point it out. And then one other thing that I would like to point out here is we should call out that for publicly traded banks, user access control testing is also part of the SOX testing, which is done only for the financially relevant systems, and for this banks should first rationalize the new list of SOX-relevant systems and then perform user access testing on those systems. So, that was our second question.
Our third question is focused on the customer, and here the financial institution should be asking, how should we maintain the customer trust? So first there is a case of efficiency. Even if you don't look at security, just looking at a vision, say, customers simply expect it. But from a security perspective, information security executives should take every measure to prevent social engineering attacks, including a time to educate customers and customer-facing personnel. After all, you don't want a scenario where a phisher cons a customer into providing the information in the guise of reconciling identities.
The fourth question has to do with the incident response. Here businesses should be asking how should we integrate our monitoring and incident response capabilities? It is paramount here that merging banks respond swiftly and in a coordinated manner to information security incidents, otherwise we could have two sides pointing fingers at each other while the bad guys continue to cause damage. In addition to the obvious fallout, incidents could undermine the trust between the two parties and make Wall Street skittish about the deal in general. Also, as it relates to the recent Red Flag Ruling, the incident response plan and technology dependencies will need to be devised for the newly merged bank.
Our fifth question is about protecting sensitive information, including the personally identifiable information, or something that is popularly known as PII. And the question here is, what is the short and long term endpoint security solution for the combined enterprise? And I must admit that this is one of the most technical of the seven questions. By endpoint we mean devices such as desktops, laptops and smartphones, however, given the focus of financial institutions on preventing identity theft, this area deserves special attention, and that is why I am bringing it up. It is likely that one of the merging organizations has a weak endpoint security solution, and the weak side introduces several vulnerabilities that must be addressed both in the short term and long term. Note that this also has policy implications.
The sixth question is focused on vendors. We must not forget that vendors play a major role in inspecting our banks information assets. So the question here is, what information security standards should we stipulate for our vendors, and how should we enforce them? The idea here is to apply the right amount of rigor by specifying and enforcing the vendor standards or adopting a new approach to vendor information security management.
Now the seventh and the last question is on governance. And here the bank should ask, who will/how will information security be governed? So here the idea is to make sure that roles and responsibilities are well defined, the size of the merged information security organization is rationalized, and then the compositions of the decision making committees or any type of information security workgroups are defined.
So, CISO's, CSO's and other information security leaders should be asking these key questions during the M&A due diligence stage. So those are my seven questions, Tom, that I would think that most leaders should be thinking about.
FIELD: That's good. I'm sitting here thinking to myself, okay, identify theft, red flags, vendor management, incident response and you are ticking them off one by one, so you are hitting all the issues I thought you probably would hit.
Now let me ask you, of these questions, where do you typically find institutions being strong, and what might they be overlooking in following through those points?
GAUR: You know, actually I think that of the seven questions the last one probably gets addressed mostly, and the other areas tend to be ignored in one fashion or the other. Because when organizations are merging, people are thinking about how the groups�well, the first thing they are thinking about is how do we organize our groups, what is the work structure going to look like, but the other areas tend to get overlooked such as access management, customer perspective, the vendor management. That is what I would say, and that is the reason why we listed the others, but even in the governance area things like the different committees and how decisions are made, if those things are done early enough, then I think banks would be very successful.
FIELD: When information security does come up as a discussion point, who do you find is typically leading the discussion, and who should be leading that discussion?
GAUR: That is a really good question, Tom. Business should advise the information security due diligence, but much of the legwork must be done by information security and IT security folks. But more specifically, businesses involved in understanding information risk and making the decisions to accept, mitigate or transfer risk. You know, these are typical ways to treat a risk and business makes those decisions. Information security accesses, oversees and interprets information risks and IT security performs assessment of IT controls. So that in a nutshell is how we think or see different groups play the different roles.
Now in a particular organization they might be structured differently, but by and large there should be groups within the organization that are addressing these three areas. In a business, of course, there are different groups that are focused on business, but a group that is focused on information security and another group that is probably focused on IT security.
FIELD: So, if you could boil it all down to a piece of advice, Nalneesh, if my institution is embarking on a new M&A activity, what should I do first to ensure that information security is paid the attention that it is due?
GAUR: What we would say is involve the information security during the due diligence process to uncover information risk exposures to the combined enterprise. Act swiftly on risk mitigation measures that business approves; there is no point in delaying that.
Also, M&A information security is not an act of individual heroism. So this isn't something where you give it to one person and expect them to back after three weeks and expect it all to be done. What you need here is dedicated objective experience resources to ensure M&A success. We say this because in this day and age security breaches can be expensive, resulting in lost customers and damaged reputation; therefore, we feel that it takes to understand information before a merger.
FIELD: Makes sense. Nalneesh, it's good, timely advice and I appreciate your time and your insight today.
GAUR: Thank you, Tom. I enjoyed the conversation.
FIELD: We've been talking with Nalneesh Gaur, Principal with Diamond Management and Technology Consultants. The topic has been information security in an M&A. For Information Security Media Group, I'm Tom Field. Thank you very much.