Today’s financial climate is fueling a wave of mergers and acquisitions, particularly among financial institutions. With an infusion of fresh cash from the federal government, in the next six to 12 months we are likely to see weaker banks snapped up by larger institutions. This “fire sale” economy, where companies are snapped up for cheap with little time for due diligence, makes it difficult for the acquiring companies to take inventory of physical assets such as phones and computers, let alone understand and protect the sensitive data that’s on all of those systems.
Financial organizations use and retain a massive amount of regulated and sensitive data that can sit on a file server, a laptop or other device. To secure their investment, purchasing organizations must quickly take inventory of the acquired company’s information assets, gain visibility into where these assets are stored, find out who has access to them and make sure they are secure.
Three steps to protect newly acquired data
There are three steps financial institutions can take to protect their newly acquired data: monitor business communications for sensitive data, discover information assets and implement policy controls to secure sensitive data.
In a merger and acquisition scenario, many employees and information owners will leave, move departments or be let go, putting sensitive information at risk of loss, misuse or, in rarer incidents, theft. With employees joining and leaving the company, it’s necessary to find out who has copies of records on their desktops or laptops, whether those people are still with the company and where the IT assets are located. In a time of consolidation, employees with access to confidential data may try to keep their customer lists in personal Web-based e-mail or copy data to an external device.
Therefore, the very first step the buying institution should take is to immediately begin monitoring business communication channels for sensitive data. To do this quickly and effectively, acquiring companies should be prepared with technology assets such as a DLP (data loss prevention) solution, encryption technology and rights management technology so they can “parachute in” and immediately start to get visibility.
Steps to Protect Newly Acquired Data
Let’s explore in more detail the three steps financial institutions can take to protect their newly acquired data:
Step No. 1: Monitor business communications for sensitive data
The first step following an acquisition should be to monitor business communication channels for confidential data. One of the easiest ways to do this is with a DLP solution. This technology includes out-of-the-box templates for hundreds of data types and regulations. For example, DLP technology can be used to find regulated information such as information about the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act, as well as customer data such as Social Security numbers and credit card information.
In a merger and acquisition situation, a lot of confidential data is exchanged between law firms, auditors, human resources and other departments. During an acquisition, fear and uncertainty can lead good employees to make bad decisions. For example, salespeople may make copies of customer lists, while developers may make copies of proprietary source code. It’s critical to get visibility into both the good and the bad business processes early on.
This will give organizations the intelligence necessary to better govern and secure the business by monitoring the communication channels to see what data is being sent, where it is going and who is sending it. Most people think that they have to do a deep discovery process for their data before they can monitor it. However, by using built-in policy templates in a DLP solution, they can easily begin to monitor for the data they suspect they have, even before they know for sure.
Step No. 2: Discover information assets
Data discovery provides an inventory of the data stored in an organization and can alert managers to data that is “at risk” of being lost. When data is discovered, you gain visibility into the organization’s information assets and can begin to classify them. Through this process, you can improve both storage and security across the enterprise and better plan for provisioning, access and growth (while at the same time mitigate risk).
Although most organizations can satisfy their discovery requirements by using the policy templates built into a DLP solution, the technology also provides for deep content inspection using digital fingerprinting technology. This capability permits the discovery of virtually any type of data, including proprietary information such as source code, merger and acquisition documents, and patent information.
Step No. 3: Implement policy controls to secure sensitive data
After gaining visibility into what data an organization has and what data is being used, a DLP solution can institute controls to protect it. Setting policy controls around data, employees and communication channels allows organizations to send data wherever it needs to go, but safely. Communications during a merger and acquisition are critical, and data transfer should not be blocked under the right parameters.
For example, the legal teams for each party must be able to send information back and forth, but it’s also important that those communications are secured. That’s where DLP and encryption technology come into play. Setting policy controls can manage who can send what data, where they can send it and how it is sent. For example, in the attorney scenario, policies could be set to automatically encrypt e-mails between lawyers. Other examples of setting policy controls include fingerprinting data so that it can be sent securely in an e-mail. However, if someone tries to post it on a financial chat board, the policy would prevent it. The goal of policy controls is to secure data while at the same time enabling business.
Understanding What Data Needs Protection
Understanding what data needs protection
Perhaps the most critical capability of a DLP solution is its ability to accurately understand the data that needs to be protected. Confidential data comes in many forms: It can be in an Excel file, a presentation, a database, a Word document, an e-mail or an instant message.
The ability to look beyond the “wrapper,” or format type, and examine the data itself is the core strength of DLP technology. Content-aware DLP technology has data intelligence and can identify critical differences (such as whether a list is a confidential customer list or a grocery list). It can tell if the data is source code or a merger document, or even if it’s just an innocuous e-mail between colleagues.
With a DLP system that identifies what is confidential and accurately protects that data, an acquiring organization can secure its investment early on, better understand the business it has acquired and reduce risk.