How secure is the transaction? Can unauthorized users gain access to protected information? Are new threats introduced by the current threat posture as a result of this merger or acquisition?

Step 1: Conduct a Policy Gap Analysis

As you begin Step 1 of your system security report on cybersecurity for mergers and acquisitions (M&A), keep in mind that the networks of companies going through an M&A can be subject to cyberattack. As you work through this step and the others, keep these questions in mind:

• Are companies going through an M&A prone to more attacks or more focused attacks?
• If so, what is the appropriate course of action?
• Should the M&A activities be kept confidential?

Now, look at the existing security policies in regard to the acquisition of the media streaming company. You have to explain to the executives that before any systems are integrated, their security policies will need to be reviewed.

Conduct a policy gap analysis to ensure the target company’s security policies follow relevant industry standards as well as local, state, and national laws and regulations. In other words, you need to make sure the new company will not inherit any statutory or regulatory noncompliance from either of the two original companies. This step would also identify what, if any, laws and regulations the target company is subject to. If those laws are different from the laws and regulations the acquiring company is subject to, then this document should answer the following questions:
• How would you identify the differences?
• How would you learn about the relevant laws and regulations?
• How would you ensure compliance with those laws and regulations?

The streaming company that is being acquired has a current customer base of 150,000 users, who on average pay $14.99 in monthly fees. Based on the overall income, use PCI Standards DSS 12 requirements and the PCI DSS Quick Reference Guide to identify a secure strategy and operating system protections to protect the credit card data.

Select at least two appropriate requirements from the PCI Standards DSS 12 set of requirements and explain how the controls should be implemented, how they will change the current network, and any costs associated with implementing the change.
This policy gap analysis will be part of the final Cybersecurity System Security Report.
In the next step, you will review the streaming protocols that the companies are using.
Cybersecurity for Mergers and Acquisitions
Print

The goal of successful mergers and acquisitions (M&A) of companies is to integrate the strengths of the two organizations while reducing or minimizing their liabilities to result in greater growth and profit margins for the newly formed organization.
In combining the two entities, the security risks that exist within the individual entities and how they will affect the newly formed organization must be considered. As part of the acquisition process, a cybersecurity due diligence review should be conducted in order to identify all corporate assets that have the ability to be compromised through unauthorized access. Next, the potential and currently documented risks must be identified and examined, respectively; these risks may take the form of internal risks, external risks, and supply chain risks (Kennedy & Nelson, 2016).

Reviewing records of compliance from regulatory bodies is an important step as well as conducting a comprehensive cybersecurity review of both entities; these activities will provide insight into the security posture of both companies. Audits and penetration testing of critical systems should be conducted, and a clear understanding of the cybersecurity cultures of the companies should be achieved.
Main areas of concern in M&A related to security include physical security, technical security, disaster recovery, and policy and awareness (Hartman, 2002).

Specific questions to be addressed include the following (Ernst & Young, n.d.) :

• How secure is the transaction? Can unauthorized users gain access to protected information?

• Are new threats introduced by the current threat posture as a result of this merger or acquisition?

• Are there any new cyber targets or vulnerabilities being introduced by the newly acquired intellectual property?

• Are due diligence and cyber risk profiling being conducted as it related to cybersecurity effectiveness?

• Do the new employees understand the cyber culture of the organization?

• Will the merger/acquisition be subject to governmental cyber concerns?