This article is part seven of a joint blog series with Simplus on things to consider when merging Salesforce orgs after a merger or acquisition. For an in-depth discussion on this topic with industry experts, register for our virtual event on February 10.
When you hear about mergers and acquisitions in the news, the headline almost always focuses on the size of the deal. And why not? These so-called ‘mega-mergers’ feature acquisitions valued in the tens of billions of dollars and have significant implications for their respective industries. With all this focus on the bottom line, however, other important considerations are often neglected throughout the process.
Take security, for example. A report by West Monroe Partners found that 52% of executives reported discovering a security problem after closing the deal. It was also found that security was the second most common reason M&A deals were abandoned and the second most common reason buyers regretted closing a deal. Finally, 41% of respondents said problems during post-merger integration was their main worry when thinking about issues related to security.
If security concerns are such a roadblock to a successful merger or acquisition, what can be done to mitigate the risk? Let’s examine some steps you can take, both before and after the merge process.
Here are some steps companies should take before merging Salesforce orgs:
Audit and ensure there are no unexpected outcomes of data sets based on any automation. For example, does the acquired contact data require any special treatment as it pertains to marketing of services and campaigns?
Understand the data requirements that may pertain to specific regulations such as HIPAA or PCI, determine encryption/access needs, etc.
Assess the impact and risks associated with 3rd party integrations. Is there new data types that should be considered out of scope for 3rd party access. For 3rd party integrations being carried over, ensure proper due diligence was conducted, and the vendors are properly tracked for any compliance needs, updates, ongoing monitoring.
Determine if any contacts are flagged for GDPR, CCPA, or other regulations. Some companies track consent for marketing purposes within Salesforce, for example.
Identify any special fields that may note special requirements or contacts for breach or other security notifications and ensure they are carried over
Limit the amount of data moved to what is necessary
Audit Apex/VisualForce custom code for API/other less restrictive access
As evidenced by the statistics above, once you’ve successfully merged your Salesforce org with the target company’s, you’ve crossed a major hurdle. But there are still security risks to consider when it comes to the new, consolidated org.
Everywhere you look, cyber threats are becoming far more sophisticated, insider threats are pervasive, and consumers are, rightly so, much more concerned about how companies secure their privacy. Meanwhile, government and industry regulations like GDPR, CCPA, HIPAA, SEC 17a-4 and dozens of others were enacted to ensure companies adhere to strict security and privacy procedures.
A common theme in these regulations is that no matter where data resides, the liability for protecting it from unauthorized access or disclosure does not transfer from the owner of the data to its vendors. Whether the data is on a laptop, a local server, on its journey to the cloud, or in the cloud, the company that owns the data is responsible for ensuring its security.
When considering the security of your data, you should rely on a solution that is reputable, has passed Salesforce security reviews, and has built-in platform security features that meet enterprise needs. Saving .CSV files of your Salesforce data within the company hard drive or your laptop should NOT be considered a best practice. Post-merge, your security requirements should include:
Encryption in transit and at rest(where appropriate) to protect data at all times
Role-based Access Controls (RBAC) for restriction over who has access to backups
IP whitelisting for commanding domain access
Two-factor authentication for ensuring only authorized users have access
Single sign-on (SSO) for reducing the number of threat surfaces hackers could access
The bottom line is that organizations must vet the security of the companies with whom they are acquiring or merging. This process is just as important as digging into the financial side of things. At a minimum during the M&A process, companies should bring in a security team to create a security program, evaluate network security policies, and consider important factors such as the effectiveness of firewalls, endpoint protection, and other security tools.