Planning a Merger or Acquisition? How to Cover Your Cyber Security Bases

| November 17, 2022

A merger or acquisition can be a challenge from an IT standpoint because it involves integration of systems that previously existed on their own. Cyber security is often put on the back burner, which is unfortunate, because this is a time when company data is at its most vulnerable. Data transfers must proceed without a hitch, or else the companies risk damaging reputation, losing customers and hurting future sales. In addition, legal responsibilities must be upheld before, during and after the data transfer process.

Covering Your Cyber Security Bases:  

Use the following checklist to ensure you’ve covered all of your cyber security bases. 

1. Identify all data assets that will need to be transferred.
2. Gather and merge all data standards, policies and processes from employees at both companies.
3. Identify potential risks that could occur during data transfer and before any data transfers, ensure data is backed up.
4. Assign one high-level person the job of overseeing all data transfers. They will have the task of dividing and conquering by assigning one person to each data asset that needs to be transferred. Once identified, run background checks on any employee (s) who will be involved in the data transfer process.
5. Craft a business continuity plan to prepare for potential data loss or outages during the period when the transfer will be
6. Legally transfer ownership of data assets as quickly and completely as reasonably possible.
7. Host training sessions on new data standards, policies and processes.
8. Update disaster recovery plans, business continuity plans and emergency plans to include newly acquired data assets.
9. Update the risk profiles for newly acquired assets.

Preparing for Data Transfer:

  • Begin early. Planning for data transfer should begin as early in the merger or acquisition process as possible. Having one person in charge of the data transfer will ensure little room for miscommunication or errors. That person can then delegate smaller tasks, such as identifying data assets, identifying potential risks during transfer and making sure the data transfer complies with federal and state law. The person in charge should be aware of the current status of all tasks at all times. This person should also manage the implementation of the interim business continuity plan so that daily operations are disturbed as little as possible. Keep in mind that if the acquired company has already completed portions of the data transfer or consolidation tasks, you should review the work to ensure accuracy.
  • Involve IT employees from acquired company. Consider relocating IT employees from the acquired company early so that they can help with the data transfer and risk identification process, as they will be more familiar with their data and systems. Sufficient time should be mapped out to allow any older data to be converted for use in newer software and programs.
  • Make sure records are up to date. Ensure that your system configuration records are up to date prior to any data transfers or consolidations. This will help isolate any issues that might occur and allow for an effective fix.

Good Practices for Data Transfer: 

  • Avoid removable media. Try to avoid using any kind of removable media to transfer data from one place to another. If this is unavoidable, then take extreme care to be sure all records are encrypted, especially if they involve personal information. If you have any data that isn’t getting transferred, you should dispose of it safely and completely to ensure it cannot be stolen.
  • Do not try to move all data at one time. Set small goals to complete every day or week to prevent an overload on your
    system or large, messy mistakes.
  • Consider halting some of your company’s cyber services until all data has been switched over. This will help protect the
    services from being adversely affected by the transfer. Another option would be to run a similar service until data has been
  • Increase protective monitoring systems to prepare for the possibility of a disgruntled employee. Mergers and acquisitions
    are scary, uncertain times for employees, whose roles are often modified or eliminated to accommodate a new company
    structure. Update all clearances and access capabilities for employees based on new roles.

Safe and secure data transfer during a merger or acquisition is of utmost importance. Communication is crucial during this
time and basic duties and responsibilities should be quickly laid out and assigned to employees before, during and after the

Data transfer is not just about preventing and managing a compromise or interruption to services; you also need to keep your
customers’ and stakeholders’ needs in mind, and to take their concerns into consideration. Most importantly, ensure your new
and existing clients know that you’re keeping their data safe.