How to manage cybersecurity cloud across the M&A deal lifecycle

End-to-end planning

Planning for cybersecurity cloud across the entire M&A deal life cycle

The modern M&A team needs to adapt new cloud standards and cybersecurity strategies to secure operations while enabling efficiency and optimizing ROI across the enterprise. The promise of the cloud paradigm is to provide a decentralized, constantly available suite of infrastructure environments. A cybersecurity cloud initiative allows a newly formed company to maximize its value and ensure success.

Two of the most high-profile topics in technology management are cloud computing and cybersecurity, both of which are essential to the foundation of a modern corporate entity. It makes sense that they are intertwined: Cloud places data in a dynamically redundant place, meaning the cloud vendor maintains the data across a vast number of locations and environments; Cybersecurity guards the integrity and security of that data across the cloud vendor’s environments.

This becomes all the more critical with more data than ever moving permanently to the cloud. Companies have doubled overall cloud storage in the last 5-7 years, from 30-65% of their total data corpus. While the cloud paradigm is more decentralized and inherently less vulnerable to data loss than traditional models compared to the fixed-location and limited availability of a data-center asset, its sheer complexity and expansive network architecture can make it prone to security flaws. The more extensive and diversified a cloud network becomes, the larger the “surface area” of possible weaknesses from a cybersecurity vantage point.

Pre-sign phase

Consider cybersecurity cloud before an M&A deal is signed

Private equity (PE) operators are eager to get immediate value after an acquisition, so it’s critical the cybersecurity cloud strategy provides efficiencies which realize value quickly and ensure stability.

Once an M&A deal is moving forward, the mechanism of technical due-diligence becomes one of the priorities for approving the investment.

The sooner deal professionals can get a view of the target entity’s security program and posture, the faster the new entity’s valuation can be completed. Best practice suggests PE and corporate M&A sponsors start this process as early as possible, while the proverbial “ink” is still drying. This suggestion is driven by historic cybersecurity incidents, where target entities were targeted by cyber criminals as soon as the deals were made public.

Initial steps should include Cyber Maturity Assessments, penetration tests, and intrusion detection tests. These processes will reveal cyber weaknesses or security flaws, which could spell disaster for the new entity during or after separation, transition, or integration of the target business units in play. While cloud is the de-facto standard for storage and dynamic access, the new entity may not be prepared for the intricacies of managing cloud architectures and distributed access points. Compounding any security vulnerabilities, the target entity’s leadership can be overly trusting of their cybersecurity posture. In fact, a recent study indicates the following:

“…the more successful a company is and the more confident its executives feel about its posture toward both internal cyber risks and external hacker threats, the more likely the company is to trust its data and processes to the cloud.”

-Cyber Confidence TCS Risk & Cybersecurity, 2022

But the reality is “confidence” does not really equal “security.” To bring actual cybersecurity maturity to meet leadership’s confidence level, M&A leaders and deal sponsors should include Single Sign On (SSO) and Cloud Infrastructure Entitlements Management (CIEM) to manage authentication and privileged access with the cyber cloud strategy. In addition, internal cybersecurity policies should be updated to include controls for the use of cloud with information management, data privacy, and access security protocols. Lastly, the Governance, Risk and Compliance (GRC) team and tools should be updated accordingly.

Sign-to-close phase

Planning cybersecurity cloud as the deal close approaches

Once the pre-deal stage is reached and the transaction is signed, the preparation for day 1 can begin. Part of day 1 planning should include a detailed and well-thought-out cybersecurity plan for the company’s acquisition, merger, or separation, which then allows the M&A team’s cybersecurity function to work in tandem with the overall risk management and PMO offices.

The cyber function should plan its own cyber digital roadmap with a focus on cloud-enabled security, which will not only include remediation of risks but also identify opportunities to transform. For example, the roadmap might include tying together disparate application platforms with proprietary authentication methods.

The day 1 plan should design for the future, and seek to do more than just roll out new cybersecurity solutions. It can transform existing groups or functions into more cyber-focused teams and workstreams. Cloud-specific TSAs (Transitional Services Agreement) also can be generated to streamline the migration of users to new environments efficiently and securely. Any cloud resources or services that will change ownership or contracts will include a TSA defining how the transition will be facilitated to ensure appropriate uptime and maintain the integrity of user privileges.

Post-close phase

Embedding cybersecurity cloud after the deal closes

At this point in the M&A process, forming the new entity should begin, and day 1 plans should be implemented according to the approved roadmaps. The overall roadmap, along with the cybersecurity roadmap, should offer guidance for creating the new entity’s target operating model, including how cloud will be secured in the new entity’s operations.

Steps addressing the provisioning of the overall cyber perimeter and granting access rights should be built into the cybersecurity cloud roadmap. These steps should define timing and effort, key resources, and prioritization during the overall integration or separation process.

As much as possible, M&A leaders and deal sponsors should implement a cloud-first approach. A cloud-first approach focuses on a one-function, one-solution strategy to unify individual workstreams with their own, singular application. Cloud-first initiatives are then implemented via the cybersecurity function within the newly created entity according to the day 1 plan.