M&As, and Insider Threats: Managing Risk Beyond the Balance Sheet

Mergers and acquisitions (M&As) are akin to dating—two (or more) entities find common ground and decide they are stronger together. The excitement builds, and all parties focus on making it happen. But this is also the moment when the Russian proverb, “trust but verify,” becomes critical: it’s due diligence time.

As executives from security, HR, business, and operations assemble for due diligence, the insider risk management (IRM) teams on both sides should be integral to the process. Their involvement ensures a secure transition and sets the stage for future success.

Significant amounts of sensitive information will change hands, often outside normal cybersecurity and physical security controls. Uncertainty can also breed anxiety among employees, sometimes leading to opposition or even malicious actions.

Due diligence isn’t about “gotcha” moments; it ensures that compliance, privacy, data protection, and cultural considerations are evaluated and addressed before proceeding.

Due Diligence: Risky Business

Where due diligence takes place matters. Many organizations use third-party escrow services or internal clean rooms to house sensitive data. Regardless of location, data should receive the same or greater protection as in its normal state. Adopting least-privileged access principles is essential to restrict access only to those with a validated need to know.

It’s also critical to assess cultural alignment. Any cultural clash may introduce risk; risky behaviors or inadequate security protocols can pose significant threats to the success of the merger.

Compliance and Privacy

During M&A transactions often involve regulatory requirements and compliance obligations. In addition, privacy impact assessments should precede any sharing of information.

If a company’s security solutions or IRM program fail to meet regulatory requirements in new operational regions, it’s far better to uncover these gaps during due diligence than to face regulatory scrutiny later. For example, a target company may not have adhered to GDPR if its operations never extended to that market.

Foreknowledge provides the opportunity to remedy and resolve.  An IRM program ensures that both companies adhere to these regulations, reducing the risk of legal issues or penalties associated with non-compliance.

Data Protection

The information security solution to data protection during the due diligence process is no less important than the day-to-day protection afforded to the entity. That said, it is important to ensure that during the inspection process data minimalization is exercised. One does not need to provide 100 percent of the entity’s archives – only that which advances the M&A process should be shared. This serves two purposes: the first being it minimizes data that has been exposed; the second is that it avoids unnecessary collection, speeding up the due diligence process.

Ground rules are important. The IRM team should manage the clean room as if it were the company’s crown jewel repository. Least-privileged access should be enforced, and a response plan should be in place in case of data mishandling.

Transparency is key. Both companies should inform employees, partners, and customers about how their data will be managed during and after the M&A process.

Lessons from the Field

The 2023 Intelligence and National Security Alliance (INSA) guidance on Managing Insider Risk During M&As highlights real-world cases where insider threats materialized before, during, and after acquisitions/mergers:

1. The London Ritz Hotel was initially up for sale for over a billion U.S. dollars but sold for significantly less after due diligence revealed that a nephew of one of the owners was conducting corporate espionage. He had planted listening devices in the hotel conservatory to eavesdrop on private conversations.
2. An unnamed company was selling part of its business, but the IRM team wasn’t engaged until after the sale was announced. By then, employees had already reacted, feeling either aggrieved or relieved. The subsequent assessment highlighted the risks of inheriting a workforce prone to risky behavior.
3. The infamous case of Anthony Levandowski involved stealing Google’s autonomous vehicle plans when he founded Otto Trucking, which was later acquired by Uber. The case ended with Uber paying Google $245 million in stock, Levandowski being prosecuted and sentenced to prison, and ultimately being pardoned by President Trump in December 2020.
4. A final example, again from INSA, involves a system administrator who, fearing layoffs post-merger, embedded logic bombs set to detonate six months after the acquisition. Though he was not laid off, he failed to remove them. Fortunately, they were discovered in time, preventing potentially widespread damage to the company and its customers.

Strengthen Your M&A Strategy with Insider Risk Management

Mergers and acquisitions bring exciting opportunities—but they also introduce complexity, especially when it comes to safeguarding intellectual property and maintaining business continuity. Integrating an IRM program early in the process ensures a comprehensive approach to due diligence, helping to identify potential risks and support a smooth transition.

By engaging IRM teams before any internal or public announcements, organizations can proactively assess both entities, strengthen security, and foster transparency. A well-prepared approach not only protects sensitive information but also builds trust and stability, setting the stage for long-term success.

For more information on managing insider risk during M&As, reach out DTEX.