Why Identity Management Is Critical in Mergers and Acquisitions


Mergers and acquisitions are all about finding synergies that increase efficiency and shareholder value. However, M&A deals are inherently risky, requiring careful examination of a target company’s assets, liabilities, and vulnerabilities. Generally, the focus is on financials, but cybersecurity is playing an increasingly important role.

EY recently released the 16th edition of its Global Capital Confidence Barometer, with data on planned merger and acquisition (M&A) activity. Of the companies surveyed, 56 percent said they expect to pursue an acquisition in the coming year. In addition, 33 percent of respondents said they expect to complete more deals in the next 12 months compared to the previous 12 months, with 57 percent expecting no change and only 10 percent expecting a decrease in activity.

This expected M&A activity could be negatively impacted by cybersecurity-related events. In a recent survey of directors and officers by NYSE Governance Services, 85 percent said the discovery of a major cybersecurity vulnerability was “very likely” or “somewhat likely” to affect a deal. More than half (52 percent) said a high-profile data breach would significantly lower the valuation of a deal, and 22 percent said it would deter them from going through with it.

Organizations evaluating deals should pay attention to identity and access management (IAM). User identities have become the front line in protecting against security breaches, and entities with weak IAM practices could be particularly vulnerable.

The focus on IAM shouldn’t end when the papers are signed. In the flurry of activity that occurs during the integration of two organizations, new identity-related threats are likely to emerge.

The merging entities will likely have different policies, processes, and tools for managing user identities. Integrating them can be highly complex. In addition, M&A activity might involve a reduction in workforce or reassignment of roles. Without careful attention to IAM, a disgruntled insider could exfiltrate data or cause significant damage to systems.

IT teams should develop a strategic plan for IAM early in the integration process. If one of the entities has a particularly strong IAM model, it could serve as the basis for the combined solution. Or IT could look at the merger as an opportunity to start fresh with more robust practices. Either way, key stakeholders should be involved to help develop policies and define roles.

IT will need to gain a thorough understanding of all identities across both organizations. Close attention should be paid to privileged accounts, as well as to contractors, business partners, and other external roles that might pose a threat.

An automated IAM system can prove beneficial, helping ensure that policies are uniformly enforced and nothing falls through the cracks. It can also aid in getting employees up and running more quickly, giving them appropriate access rights to the systems, applications, and data they need.

Though M&A activity is off from its 2015 peak, many organizations are planning transactions in the coming months. It’s important to consider cybersecurity and especially IAM when performing due diligence prior to a deal and integrating the merging entities afterward. By considering IAM from the outset, organizations can gain greater synergies and avoid access control gaps at a time of heightened vulnerability.


For more information about Identity Management, please send us an email at (

Leave a Comment