Mergers and Acquisitions

Abstract

Read any newspaper and you will see column after column of analysis and supposition over which company is buying which and who is separating from whom. These transactions may just be temporary news-lines in the business section for many readers, but for the people involved in the process of mergers and acquisitions there is much more to it: many months, if not years, of effort addressing every area of the businesses, their staff and everyone they deal with.

The technology wings are typically involved in most stages of the process and are expected to lead many of the more business-critical projects. Very few IT departments have experience in these areas, significantly increasing the risk, cost and duration of the project. This paper attempts to cover briefly the overall process of a sale or acquisition and touch on some high-risk areas that tend to become pitfalls for the unwary or unprepared.

Overview & summary

The acquisition of a company consists of three distinct phases: pre-acquisition activities, the transaction itself and post-acquisition activities.

Pre-acquisition tasks typically revolve around collating information about the company to be sold, and presenting it to potential purchasers. They then use that information to decide whether to buy and, if so, how much to offer. This is obviously a sensitive exercise. Care needs to be taken to ensure that sensitive commercial information is only released to authorised people - whether they are internal staff members, or potential purchasers.

The transaction itself tends to be mainly legal and financial. Secure communications are essential during this phase.

The bulk of the work comes in the post-acquisition phase. This is when significant management changes occur, business processes change, assets may need to be separated, IT systems need to be integrated and chaos (sometimes) reigns. A few helpful pointers:

Planning:

start early and plan the entire process, not just the first stage.
seek advice (legal, risk management & security).

Secrecy:

strict security is hard to maintain for a protracted period; reduce the 'eyes only' phase to an absolute minimum to help avoid uncontrolled information leakages
it's business, not national security. Don't get carried away; be pragmatic.

Change management:

manage the change in the company, don't react to it
start early and involve everyone; involved people are less likely to feel disgruntled.

Threat & risk assessment:

identify and profile your assets (people, physical objects & information)
identify potential threats early and the likelihood of them occurring.

Controls:

design controls that are appropriate to the threat, likelihood and business value of the asset being protected
make controls achievable and implementable
avoid significant changes to business process, wherever possible
make controls self-documenting and define a review component.

M&As versus straight sales

Mergers & Acquisitions

The difference between a merger and an acquisition can be very small and in many cases is purely semantic. It is unusual for a company to pay a huge amount of money for a company, only to leave them to 'do their own thing' and only turn up at the AGM. This may not be politically palatable to staff of the newly acquired company, but unfortunately is true. Similarly, a merger is never perfectly equitable and even - there are always winners and there are always losers. This blatantly obvious truth needs to be carefully considered during the post-acquisition activities and is a significant background to many of the risk management activities during any transition period.

Whenever two companies are brought together, there will be 'border disputes', with some staff concerned for their own jobs and others seeing opportunity for advancement. This is normal human behaviour and should be planned for. As mentioned earlier, it is vitally important to have a well thought-through change management plan worked out and deployed before you start integration tasks. This should reduce the uncertainty around future direction and will ensure that staff are engaged and informed through the entire process. This may not seem like IT security or Risk Management, but addressing the human component is vitally important.

Sales

In the case of a straight sale, the security tasks are greatly simplified: the environment, all the information, all the people and all physical assets will be transferred to a new owner with no separation tasks being required. Despite this, it is still necessary to consider staff resignation risks and potential loss of IP to competitors with this type of transaction.

Pre-acquisition activities

The decision to sell a company is never made lightly and has significant ramifications for the company, its staff and its customers. For this reason, pre-acquisition tasks tend to be conducted in a semi-secret fashion to avoid alarming staff, attracting unwanted press attention (especially in the case of large or publicly listed companies) or affecting future sales and normal business operation. That this initial phase can take several months, adds to the complications of completing these tasks confidentially.

Deciding on the degree of secrecy

It is almost impossible to gather all the information for a 'data room' and have the auditors performing due diligence exercises without involving a significant number of people; trying to hide such a significant data gathering exercise can be hard, but is not necessarily impossible. Careful consideration is recommended when deciding on the right approach to take. Machiavellian machinations are not always necessary and sometimes the easiest way to hide a task is to perform it openly. Each company is different in culture and this should be taken into account.

Maintaining strict security for extended periods of time is very difficult and, quite often, unnecessary. From a purely humanistic point of view, uncontrolled leakages of information have a high likelihood of eroding staff confidence and denting morale. It is often far better to discuss opportunities with staff and involve them in the process; staff who feel they are involved in change are less likely to become disgruntled and this alone will reduce your issues moving forwards.

Data rooms

Most 'data rooms' are virtual, in that they are normally secure web sites or portals with access to the company's sales, financial, asset and business information for potential purchasers to analyse. These sites are commonly hosted by the law firm handling the transaction and have stringent controls around access to protect the confidentiality of the information. It is common for advanced cryptographic techniques to be used as a counter-measure against uncontrolled distribution and export of information.

Discussions with the firm handling the 'data room' are strongly recommended to ensure that any solution will meet the requirements of the company for sale, as these services are often outsourced to third parties.

Discussions should cover as a minimum:

where it will be hosted
by whom
on what platform
who will administer the site
what security regime do they have
what access control is being proposed
what monitoring of access will occur
what security incident controls they have
who will be notified of any security incident, and
what procedures do they have for the secure destruction of data at the end of the sale.

These are not trivial discussions and it can be valuable to have subject matter experts assist.

Use of email in the pre-acquisition phase

Email is probably the most common communications medium after the telephone and also needs to be protected from unauthorised access. In most businesses, incoming and sometimes outgoing emails are scanned to remove spam and check for viruses and other malware. It is normal practise for the email administrators to check mails 'caught' in filters; this needs to be considered as a risk to maintaining confidentiality during the pre-acquisition phase and encryption of sensitive emails is a particularly good solution to this challenge.

Announcing the acquisition

At some stage, you have to make the work-force and the general public aware of the intentions to sell or buy a company. Quite often, this is the point where the largest risk exists to maintaining control of communication and the release of information.

Employees have been known to forward internal communiqués or information to friends and this often has unplanned ramifications. There are a number of techniques, such as content scanning, logging and 'watermarking' that can be used to track these unauthorised transmissions of information outside the organisation, but you need to consider the legal issues (such as privacy and workplace surveillance legislation) as well as HR considerations such as staff morale.

Change management

It is advisable to have detailed change management plans in place before engaging with the main corpus of the business. For many staff in an organisation, this will be a time of great turmoil and change; people will be worried about their jobs, their careers and aspirations. In even the most benign of acquisitions there will be significant changes to normal day-to-day business and the challenge is to transit these with the least disruption possible. Start early and ensure you are in control of the changes and communications in and around the company - this should be seen as a positive opportunity!

Post-acquisition activities

Threat and risk assessment

A common starting point in any post-acquisition activity is to conduct a TRA (Threat & Risk Assessment) to define the sensitive assets (people, objects and information), what threats exist and the risk of them occurring. It is important to do this as early and as thoroughly as possible, because it provides a basis for developing appropriate controls and procedures to ensure that any efforts are properly targeted and commensurate with the business value of the assets being protected.

Human resources

During any significant change of management, it is inevitable that some staff will resign and, whether you are the vendor or vendee, one of the significant tasks you face will be managing this process securely. It is worth talking to the HR department early to plan how resignations will be handled.

People resigning due to changes of company ownership are likely to be disgruntled and research has repeatedly shown that most security incidents involve disgruntled employees or ex-employees. It is strongly recommended that both the vendor and the vendee take special consideration to address these risks appropriately. In some cases, it may be worthwhile engaging specialists in this area to help plan, implement and monitor suitable solutions.

Concerns of the seller versus the buyer

De-merging a subsidiary after a sale can be a difficult and contentious period; a three way trust/mistrust scenario quite often occurs between the old parent company management, the management of the subsidiary and the management of the new parent company. This environment can filter down to staff and highlights the need for good communication and a detailed change management plan being in place during this entire process.

Depending upon whether you are the vendor or vendee, you will see the post-acquisition activities differently.

There tend to be two sub-phases:

separation of the entity from the seller's organisation, and
integration of the entity into the buyer's organisation.

These are discussed in the sections below.

Separating the entity from the seller's organisation

During a de-merger you need to identify the assets to be included in the sale, and plan for their separation from the seller's organisation. This is not a trivial task. First, you need to identify the business functions included in the sale and then the IT systems that support those business functions.

IT systems normally rely heavily upon reuse of network, storage and directory components. Replicating or modifying these solutions and their data to facilitate the separation can become extremely involved and detailed, with significant risk and cost associated.

When separating IT systems it is worthwhile considering the following:

What directories (e.g. Active Directory) are required for the systems to work in their new environment and what other, potentially confidential information will go along with it? How will you classify and resolve this issue? What legal or other ramifications are there?
What data needs to be migrated or duplicated? How is this data to be handled, what controls need to be put in place?
In what other repositories does this data exist: Backups? Laptops? Removable media? Test or disaster recovery environments? How are they to be handled?
When separating physical assets, what procedures are necessary before their release?
What licenses need to be novated or procured?
What compliance obligations need to be met before, during and after the migration of these systems? Reporting to whom? How will this be achieved?
What public facing infrastructure needs to be moved? What are the appropriate controls around this and how will they be affected?
What external IT services (such as DNS, NTP, etc) need to be considered?

This list is obviously not exhaustive, but gives an idea of the depth and breadth of the tasks involved at the purely technical layer. The human layer should also not be ignored, with significant risks needing to be addressed in relation to retaining core staff, protecting IP and ensuring that the undocumented knowledge that keeps the company running is retained.

De-merging a subsidiary or business function is a highly detailed, involved, complicated and intrinsically risky task that should be addressed carefully and methodically. Take advice early and often, decide what is important and what isn't and plan accordingly. It may be cliché, but 'Plan the work, then work the plan'.

Integrating the entity into the buyer's organisation

The integration tasks themselves will cover business processes, operations and the IT systems that support them. Typically there will be discussions at least in the following areas:

Finance

Which finance standards to follow?
Which finance system to use (long term), how to link them together (short term)?
Compliance frameworks & reporting.

Sales

CRM - which one to use or cross pollination of client data?
Portfolio management - who gets what?
Lead quantification & commission structure.

Security policy integration & compatibility
Network integration & design

LAN / WAN
Internet & DMZ

Email integration

Archiving / SPAM / Content scanning
Contacts
Calendars.

Role rationalization
Staff & management movements
Pay rates & payroll integration.

It should be noted that every one of these areas have ramifications for IT security and Risk Management in general. The degree to which security and risk management issues need to be considered should be carefully evaluated. Consistency in approach can be vitally important.

A good way to achieve this is to create an engagement proforma or similar document and to document exceptions where necessary. Typically you might consider:

Are there any compliance ramifications to this task?
Are there are privacy considerations?
Are there any other legal implications? (Workplace surveillance or statutory document retention, for example)
Are there any HR ramifications?
Does it involve a defined asset from the TRA?
Will the task involve communications external to the company?
Will the task involve any confidential communications?

This will create a documentary trail as to whether or not further work is required and if not, why. It will also normally result in a particular avenue of 'attack' being identified and clarify the approach to be taken and the degree to which it needs to be followed.

Whatever approach is taken, it needs to be commensurate with the risks being faced to the organisation and the business value of the assets being protected. Make sure that any controls can realistically be implemented and achieved. Whatever happens, the business needs to carry on and this entire exercise is about minimising risk to the business in a cost-efficient manner. This is likely to be one of the biggest changes the company has experienced and should be treated as such. Be risk-averse but pragmatic. Start early, plan carefully, bring in external expertise where necessary and manage the change, don't let it manage you.

Contact us

Castelain has a huge depth of experience in all facets of pre- and post-acquisition projects from both vendor and vendees' sides of the transaction and have successfully completed several prominent projects with large telcos, BPOs (Business Process Outsource) companies and investment banks.

For more information, contact Alex Taverner or phone Castelain on 02 9211 6651.

"Castelain's assistance was invaluable. When Telstra acquired KAZ we needed the integration to be seamless. Castelain's expertise, coupled with their professional and committed team helped us ensure its success."

Manfred Thurow - Former CIO, Telstra's KAZ Subsidiary

To download a PDF version of this report click here.