Although some companies, mostly large global and national businesses, have their act together when it comes to assessing the state of the company they are buying or merging with, most other companies don’t.
Q: I just learned that our company is buying another company and I have concerns. That company has changed security directors twice in the past three years, and for many reasons, I suspect that security is in disarray there. Should I speak up about it?
A: It is common for physical security to be an afterthought in the M&A process on the seller and buyer sides. Depending on your position in the firm, you need to become a part of the M&A team or engage with someone who is.
This truly is a case of “Let the buyer and the seller beware.”
Seller Side
Sellers rarely consider that the state of their physical security should be a concern. And it shouldn’t be if they have a well-documented security program and several years (ideally 5) of measures and metrics to validate their security performance (see my previous column, Security KPIs, Measures and Metrics). Such documentation provides assurance and insight for many things, such as:
- Whether the security operations and technology budgets and planning should remain intact
- How closely the security program does or doesn’t align with the buyer’s security program
- Whether identity and access management are siloed between IT and physical security (even if siloed, if documented the buyer’s IT folks can evaluate)
- Whether the workplace violence prevention program has only the “run, hide, fight” scope or is based on an in-depth assessment and includes proactive and preemptive elements and addresses the full workplace violence spectrum, including early behaviors that occur before escalation, is aligned with company culture change initiatives and company codes of conduct, etc.
- If the security program includes a change management element, so that security participates in change planning, as opposed to having to cope with new security weaknesses after changes are made
For the above items and more, each missing security program element may be a cause for a buying price reduction. If the security program documentation is insufficient, the seller may engage a third-party firm to perform an independent security program evaluation. It may be that the buyer’s advisors recommend such an evaluation regardless of documentation. If the security program is found to range from good to excellent – this works in the seller’s favor.
Buyer Side
If the buyers' M&A team is not security-savvy but focuses more on the financial aspects and the challenges of integrating business operations including sales and marketing, physical security risks may be missing from the purchase risk analysis. I know of one situation where the buyer company discovered after the acquisition was completed, that building physical security profiles and security operations required an immediate $2 million immediate investment and a permanent $3 increase in the annual security operations budget.
For some large companies, those are small numbers and wouldn’t phase them. On the other hand, if they had planned to reduce headcount and costs immediately after the acquisition, the unexpected expense increases will work counter to their objectives and may hamper their reaching desired post-acquisition goals.
I’m aware of several situations where buyers didn’t pay attention to mandatory and voluntary security regulatory programs, such as the voluntary U.S. CTPAT program (Customs-Trade Partnership Against Terrorism). One company missed regulatory deadlines, another company made a last-minute effort and saved their CTPAT certification, retaining the $1 million in annual cost reductions involved in importing the raw ingredients the manufacturer depended on.
A medium-term risk is acquiring facilities whose fire and security protections are below-par with the rest of the company’s facilities. If the disparity is not remedied as soon as feasible, and if a major incident occurs involving serious human harm or death, the company could be found negligent or grossly negligent for not remedying the deficiencies as soon as feasible after acquisition. I know of such cases, which usually result in quick sizeable settlements to minimize the reputation damage that accompanies such situations.
A key point is this: Had the buyer’s board of directors and senior executives been informed that such risk factors were involved in the acquisition, they could and would have taken appropriate action.
Lessons Learned
Many organizations have learned the hard way that they should have included physical security due diligence in their M&A process. There can be significant risk and cost consequences in not doing so. On the other hand, some companies don’t learn if the consequences of the situation aren’t catastrophic enough to bring them to their attention. Some companies have a fully comprehensive security program and a highly competent security team, resulting in the security and safety deficiencies being rapidly identified and address as a matter of course. Which position would your company be in on either side of the M&A action? Do your M&A stakeholders consider the potential security program risks.
Micro-assessments can be utilized to assess high-level indicators of where a buyer or seller may stand. For example, the Insider Threat Micro-Assessment Template (bit.ly/insider-threat-template), based on guidance from Carnegie Mellon University, can quickly be done by a seller or requested by a buyer and covers five key areas of information security insider threat risk. It’s a gap analysis to identify whether commonly required insider threat countermeasures have been given any attention, and to what extent.
Another good gap-analysis assessment, sometimes involving a bit of collaboration between companies, involves comparing the security program elements (typically a one-page diagram) of the buying and selling companies. This can include rating the maturity level of each security element (bit.ly/rate-your-security-program-in-90-seconds).
The seller may simply not be too concerned about the gaps when, once seeing them, they know they can effectively remedy them. If the selling company has concerns about their ability to address the security program gaps, one way to address the concerns is to draft up sensible plans of how the seller would go about bringing the security program up to par with the seller’s program, including budgetary and time frame elements. This would be a significant good-faith move, enabling the buyer to update acquisition planning if necessary, and would eliminate the possibility of post-purchase accusations of information withholding.
One selling company engaged a security firm to perform in-depth information systems and physical security assessments. They turned out to be mostly in decent shape and remedied the discovered deficiencies immediately. Not only did they receive a higher price for their company than they originally thought they could, but the buyer was extremely happy knowing that they were getting a business operation with an excellent IT and physical security profile – a win-win situation.
© 2021 RBCS
