How to Manage Cybersecurity Cloud Across the M&A Deal Lifecycle

Dan Davis

Engagement Manager, M&A Services, TCS

James Lemaster

Director, Risk and Cyber Strategy, TCS

Praveen Bhasin

Partner, M&A Services, TCS

Services

Consulting

Highlights

The ubiquity of cloud computing has added a new lens to mergers and acquisitions (M&A) transaction success—the need to plan and implement cloud-focused cybersecurity strategies.
Cloud strategy should be at the forefront of any M&A deal due diligence and deal structuring.
To ensure stability and return on investment of M&A, organizations must align cloud and cybersecurity strategies within each step of the deal process.

End-to-end planning

Planning for cybersecurity cloud across the entire M&A deal life cycle

The modern M&A team needs to adapt new cloud standards and cybersecurity strategies to secure operations while enabling efficiency and optimizing ROI across the enterprise. The promise of the cloud paradigm is to provide a decentralized, constantly available suite of infrastructure environments. A cybersecurity cloud initiative allows a newly formed company to maximize its value and ensure success.

Two of the most high-profile topics in technology management are cloud computing and cybersecurity, both of which are essential to the foundation of a modern corporate entity. It makes sense that they are intertwined: Cloud places data in a dynamically redundant place, meaning the cloud vendor maintains the data across a vast number of locations and environments; Cybersecurity guards the integrity and security of that data across the cloud vendor’s environments.

This becomes all the more critical with more data than ever moving permanently to the cloud. Companies have doubled overall cloud storage in the last 5-7 years, from 30-65% of their total data corpus. While the cloud paradigm is more decentralized and inherently less vulnerable to data loss than traditional models compared to the fixed-location and limited availability of a data-center asset, its sheer complexity and expansive network architecture can make it prone to security flaws. The more extensive and diversified a cloud network becomes, the larger the “surface area” of possible weaknesses from a cybersecurity vantage point.

Pre-sign phase

Consider cybersecurity cloud before an M&A deal is signed

Private equity (PE) operators are eager to get immediate value after an acquisition, so it’s critical the cybersecurity cloud strategy provides efficiencies which realize value quickly and ensure stability.

Once an M&A deal is moving forward, the mechanism of technical due-diligence becomes one of the priorities for approving the investment.

The sooner deal professionals can get a view of the target entity’s security program and posture, the faster the new entity’s valuation can be completed. Best practice suggests PE and corporate M&A sponsors start this process as early as possible, while the proverbial “ink” is still drying. This suggestion is driven by historic cybersecurity incidents, where target entities were targeted by cyber criminals as soon as the deals were made public.

Initial steps should include Cyber Maturity Assessments, penetration tests, and intrusion detection tests. These processes will reveal cyber weaknesses or security flaws, which could spell disaster for the new entity during or after separation, transition, or integration of the target business units in play. While cloud is the de-facto standard for storage and dynamic access, the new entity may not be prepared for the intricacies of managing cloud architectures and distributed access points. Compounding any security vulnerabilities, the target entity’s leadership can be overly trusting of their cybersecurity posture. In fact, a recent study indicates the following:

“…the more successful a company is and the more confident its executives feel about its posture toward both internal cyber risks and external hacker threats, the more likely the company is to trust its data and processes to the cloud.”

-Cyber Confidence TCS Risk & Cybersecurity, 2022

But the reality is “confidence” does not really equal “security.” To bring actual cybersecurity maturity to meet leadership’s confidence level, M&A leaders and deal sponsors should include Single Sign On (SSO) and Cloud Infrastructure Entitlements Management (CIEM) to manage authentication and privileged access with the cyber cloud strategy. In addition, internal cybersecurity policies should be updated to include controls for the use of cloud with information management, data privacy, and access security protocols. Lastly, the Governance, Risk and Compliance (GRC) team and tools should be updated accordingly.

Sign-to-close phase

Planning cybersecurity cloud as the deal close approaches

Once the pre-deal stage is reached and the transaction is signed, the preparation for day 1 can begin. Part of day 1 planning should include a detailed and well-thought-out cybersecurity plan for the company’s acquisition, merger, or separation, which then allows the M&A team’s cybersecurity function to work in tandem with the overall risk management and PMO offices.

The cyber function should plan its own cyber digital roadmap with a focus on cloud-enabled security, which will not only include remediation of risks but also identify opportunities to transform. For example, the roadmap might include tying together disparate application platforms with proprietary authentication methods.

The day 1 plan should design for the future, and seek to do more than just roll out new cybersecurity solutions. It can transform existing groups or functions into more cyber-focused teams and workstreams. Cloud-specific TSAs (Transitional Services Agreement) also can be generated to streamline the migration of users to new environments efficiently and securely. Any cloud resources or services that will change ownership or contracts will include a TSA defining how the transition will be facilitated to ensure appropriate uptime and maintain the integrity of user privileges.

Post-close phase

Embedding cybersecurity cloud after the deal closes

At this point in the M&A process, forming the new entity should begin, and day 1 plans should be implemented according to the approved roadmaps. The overall roadmap, along with the cybersecurity roadmap, should offer guidance for creating the new entity’s target operating model, including how cloud will be secured in the new entity’s operations.

Steps addressing the provisioning of the overall cyber perimeter and granting access rights should be built into the cybersecurity cloud roadmap. These steps should define timing and effort, key resources, and prioritization during the overall integration or separation process.

As much as possible, M&A leaders and deal sponsors should implement a cloud-first approach. A cloud-first approach focuses on a one-function, one-solution strategy to unify individual workstreams with their own, singular application. Cloud-first initiatives are then implemented via the cybersecurity function within the newly created entity according to the day 1 plan.

Long-term strategies

Build long-term strategies for cybersecurity cloud

Each workstream of an M&A project needs to consider the long-term impacts to the new entity which could be caused by increases in volume or market share. Plans should be in place for locking down the cloud environments to minimize or avoid those impacts. In short, M&A professionals should include four strategies during the design and integration planning phase:

Start the design process by prioritizing cloud solutions for data-centric operations.
Designate resources to specifically address cloud digital security.
Integrate cybersecurity with the cloud architecture, including controls for locking down the entire perimeter.
Align the cybersecurity cloud plan with risk management’s risk posture/tolerance and regulatory demands so it fulfills compliance requirements.

Cloud platforms represent the forefront of efficiency and high ROI for a modern company’s core functions, but they are only as valuable as the cyber strategies that secure them. M&A teams need to view them as necessary aspects of the same paradigm to ensure robust, safe operations that maximize productivity, and therefore, investment value.

About the authors

Dan Davis

Dan Davis is a technology strategy and M&A professional with experience in-house and as a consultant for Private Equity, LBO and venture capital firms, focusing on optimizing efficiency and increasing value in target companies. Dan worked with Ernst Young, Centre Partners Management and a municipal bond insurance start-up firm.

write to me

James Lemaster

James has been helping companies manage their information technology and information security risks, for over 25 years. As an active member and leader of TCS Risk & Cyber Strategy practice in Consulting & Services Integration, he’s supported clients across multiple business sectors with solutions for cyber protection, network engineering, security architecture, policy, risk, compliance and organizational change management.

Write to me

Praveen Bhasin

Praveen is a senior leader in TCS’ M&A Services, bringing 20 years of progressive IT and business leadership experience, along with demonstrated success driving multi-million-dollar M&A and Digital Transformation programs.

Write to me

Transformation starts here

Learn how we can help you build cybersecurity cloud into every step of the deal life cycle.

Contact

TCS is here to make a difference through technology.

We’re in it for good, driving positive change for the benefit of all.

Extraordinary expertise leads to remarkable results.

Want to be a global change-maker? Join our team.

Find the latest news about TCS in our Newsroom

Recent Press releases

Recent News

Recent recognitions

Upcoming events

TCS works hand in hand with world-leading investors.