How to Protect Data During Financial Mergers and Acquisitions

With current economic conditions greasing the skids for a merger frenzy, the combination of massive financial institutions raises important questions about the handling of sensitive financial data. Financial institutions simply cannot overlook the technology and business processes needed to protect sensitive data and maintain a competitive advantage. Knowledge Center contributor Dave Meizlik explains how organizations can protect their sensitive data during a merger and acquisition.


Today's financial climate is fueling a wave of mergers and acquisitions, particularly among financial institutions. With an infusion of fresh cash from the federal government, in the next six to 12 months we are likely to see weaker banks snapped up by larger institutions. This "fire sale" economy, where companies are snapped up for cheap with little time for due diligence, makes it difficult for the acquiring companies to take inventory of physical assets such as phones and computers, let alone understand and protect the sensitive data that's on all of those systems.

Financial organizations use and retain a massive amount of regulated and sensitive data that can sit on a file server, a laptop or other device. To secure their investment, purchasing organizations must quickly take inventory of the acquired company's information assets, gain visibility into where these assets are stored, find out who has access to them and make sure they are secure.

Three steps to protect newly acquired data

There are three steps financial institutions can take to protect their newly acquired data: monitor business communications for sensitive data, discover information assets and implement policy controls to secure sensitive data.

In a merger and acquisition scenario, many employees and information owners will leave, move departments or be let go, putting sensitive information at risk of loss, misuse or, in rarer incidents, theft. With employees joining and leaving the company, it's necessary to find out who has copies of records on their desktops or laptops, whether those people are still with the company and where the IT assets are located. In a time of consolidation, employees with access to confidential data may try to keep their customer lists in personal Web-based e-mail or copy data to an external device.

Therefore, the very first step the buying institution should take is to immediately begin monitoring business communication channels for sensitive data. To do this quickly and effectively, acquiring companies should be prepared with technology assets such as a DLP (data loss prevention) solution, encryption technology and rights management technology so they can "parachute in" and immediately start to get visibility.