Most M&A security conversations start and stop with cyber security. Converged M&A security addresses the full picture — physical security posture, personnel security, insider threat history, supply chain relationships, financial controls, investigations, fraud, and executive protection — across the full lifecycle of a transaction.
These questions come from deal teams, security leaders, and executives who have been through a transaction and want a better answer than they got last time.
Note: We use the term “acquisition” mostly but all this applies regardless of if it is a merger, acquisition, divestiture or rebadge, so don’t zone out.
FUNDAMENTALS
What is converged M&A security?
Converged M&A security is the discipline of identifying, managing, and integrating security across the full lifecycle of a merger, acquisition, or divestiture and sometimes a rebadge — not just the technology security, not just at due diligence, and not just the buyer’s perspective. Remember you and your peer are protected BOTH sides of the transaction.
Most M&A security programs address cyber security and call it done. What about the target company’s physical security posture — the access control systems, camera infrastructure, guard force, alarm monitoring contracts? Their insider threat history? Their executive protection program? Their supply chain security practices? Their fraud and financial control environment?
A converged M&A security framework addresses all of those dimensions, in the right sequence, with the right ownership while most importantly supporting the business objectives of the transaction. The objective is to understand what you are buying before you buy it — and to integrate it without creating new exposures in your existing program.
When should security get a seat at the deal table?
As early as possible — ideally at first contact with a target. In practice, security is often brought in at due diligence, which is better than nothing. In too many deals, security is brought in at close — when it is too late to change the price or walk away.
Security input at first contact answers: does this target operate in threat environments or vulnerable at some level that change our security posture? Are there countries, industries, or customers in this acquisition that introduce regulatory, data, information, services, personnel, or physical security complexity we are not prepared for?
Security input at due diligence answers: what is the actual state of their security program? What liabilities are we absorbing? What is the cost to bring their program to our standard?
Security input at integration answers: how do we merge two access control systems without creating a gap? How do we handle badge provisioning for employees who are now ours? What do we communicate to the acquired workforce about our security standards? How do we deal with data integration that meets our security standards, what about their suppliers, etc?
If security is not at the table when the price is set, the deal team is making a financial decision without knowing the full cost.
What are the 8 transaction phases and where does security fit?
A converged M&A security framework unfolds across 8 phases, each with distinct security requirements:
- Pre-LOI (Origination): Threat assessment of the target’s geography, industry, and leadership profile. Is there any intelligence on this company or its executives before the deal is announced?
- Letter of Intent: Security NDA provisions. Who — on both sides — knows this deal exists? Information security for the transaction itself begins here.
- Due Diligence: Full security assessment across physical, cyber, personnel, supply chain, and financial controls. This is where the security cost of the transaction is quantified.
- Negotiation: Security findings inform price adjustments and representations and warranties. Deficiencies that cannot be remediated before close become escrow items or walk-away triggers.
- Regulatory Approval: Some transactions trigger regulatory review with direct security implications — CFIUS for foreign investment, sector-specific reviews in defense, utilities, and critical infrastructure.
- Pre-Close: Integration planning. Badge provisioning strategy. System access planning. Physical security harmonization timeline. Day 1 posture finalized.
- Close Day + 1 Minute: The security posture of both entities at the moment of legal combination — many times the highest-risk moment in the transaction.
- Integration: The long game (think 2 years, not 2 quarters) — merging policies, systems, cultures, and programs without creating gaps in either direction.
What is “Close Day + 1 Minute” in M&A security?
Close Day + 1 Minute is a framework concept that captures the reality that security exposure does not wait for integration to be complete. It is no longer “them” and “us”, it now “we” and “our security”
The moment a deal closes — one minute after Day 1 — two organizations are legally one. Their security systems, their cultures, their threat posture, and their insider threat populations are still two but all the security elements, the good ones and the (really) bads on, whether you have discovered them or not, are now the combined company’s. The gap between legal combination and operational combination is where significant M&A security incidents occur.
On Close Day + 1 Minute:
- Employees of the acquired company are now our employees — including any who were your insider threat concern as a competitor yesterday
- Physical access to our facilities may now extend to a workforce you have not screened under your standards
- The target’s system vulnerabilities are now our vulnerabilities
- Their reputational and legal exposures are now our reputational and legal exposures
The Day 1 security plan is not a checklist item — it is a complete operational posture for Day 1 through Day ###. Who has physical access and to where. What system access is granted immediately and what is provisioned on a scheduled basis. What the security posture of combined executive leadership looks like. Who owns incidents that occur on Close Day + 1 Minute?
DUE DILIGENCE
What does security due diligence actually look like in an M&A context?
Security due diligence is a structured assessment of the target’s security program across physical, cyber, personnel, supply chain, global, investigations, and financial control dimensions. In a converged framework, you are answering four questions:
What is the actual state of their program? Not what their policies say — what their posture is. Walk the facilities. Review system configurations, not just documentation. Talk to the people who run the program, not just the CSO/CISO – Oh don’t have one, than the Facilities Guy, Burned Out SysAdmin, the MS(S)P, the Receptionist.
What liabilities are we absorbing? Known breaches, regulatory investigations, pending litigation, prior insider threat incidents, compliance gaps. These are priced — or walked away from.
What is the remediation cost? To bring their program to your standard — infrastructure, cyber hygiene, policy harmonization, culture — what does it actually cost and over what timeline?
What are the integration risks? Where does merging two programs create a gap? The target’s weakest control commonly becomes the combined entity’s weakest control.
Due diligence is not a questionnaire. It is a field assessment that produces a priced security action register.
What security threats and vulnerabilities, in acquisitions, do buyers most commonly miss?
Five consistently underestimated risks:
1. Personnel security posture of the acquired workforce. You are inheriting every employee through close. Their background check standards may not match yours. Their clearance status may differ. Their insider threat history exists — even if it was not disclosed. Some might be “on edge” about the acquisition itself.
2. Physical security infrastructure condition. Camera systems, access control platforms, alarm monitoring contracts — these are often aging, unmanaged, and not inventoried. Replacing them is a capital line item that was not in the deal model.
3. Supply chain relationships. The target’s suppliers now become your suppliers — with whatever security posture those suppliers have or condition of the contracts. A target with poor supply chain security practices inherits those exposures into your supply chain.
4. Integration tension. The security cultures of two companies often conflict. Acquired employees feel surveilled. Your security team does not know the new workforce. The seam between two programs is where incidents occur.
5. Divestiture-specific — what leaves with the divested entity. In a divestiture, the question is not what you are absorbing — it is what is walking out the door. Data, access credentials, paper, equipment, institutional knowledge, supplier relationships. Managing the exit is as operationally complex as managing the entry.
How do accreditations like SOC 2 or ISO 27001 affect M&A security due diligence?
Accreditations are a starting point, not a conclusion. Accreditations are A MOMENT in time that time is never “Close Day + 1 Minute”
A SOC 2 Type II report tells you that an auditor reviewed specific controls within a defined scope and found them operating effectively during the audit period. It does not tell you what is outside that scope, whether the findings represent material gaps, what the physical security posture looks like, whether controls have degraded since the audit, or how the security culture actually functions day to day. They tend to lean to information security and cyber security controls instead of converged security.
In M&A due diligence, I treat accrediations as a signal to focus the assessment — not as a substitute for it. A company with a clean SOC 2 Type II and poor physical security, no insider threat program, and no supply chain visibility is not a secure company. It is a company that has met one auditable standard within a defined scope, at a very specific point of time, known as “as of” date. What if that date was a year ago.
Conversely, a company without formal accreditations but with a mature, well-run security program may be a better acquisition than a accreditated company with cultural and operational gaps. Accreditations describe a moment in time within a defined boundary. Due diligence describes the actual state.
INTEGRATION AND COMMON MISTAKES
What is the most common M&A security mistake — and how do you avoid it?
Treating security as a close-of-deal issue rather than a deal-defining issue.
Security findings that surface after the price is set become accommodation problems — how do we absorb this cost within the deal we already agreed to? Security findings that surface at due diligence are pricing inputs — this deficiency costs $X to remediate, which changes the offer.
The fix is structural: get security into the due diligence team before the deal structure is finalized. Define — in writing, with the deal team — what security findings will trigger a price adjustment, a renegotiation, or a walk-away. When a finding surfaces, the response is governed by a pre-agreed framework rather than a negotiation under pressure.
“It should only take 30 days to integrate, just switch out their laptops and we are done” vs. Reality……I have never had full integration take less than 2 years after 125 transactions.
Why does executive protection risk increase during an M&A transaction?
For several reasons, all of which intersect:
Information exposure. The deal is known by more people than the company can fully control. Competitors, arbitrageurs, and employees speculating about their future all have reasons to seek information about leadership’s plans and movements.
Leadership visibility. Executives become more visible during a transaction — investor presentations, press events, integration roadshows. Increased visibility increases personal exposure.
Workforce stress. Acquisitions create uncertainty for the acquired workforce. Uncertain employees sometimes direct grievances toward leadership.
Adversarial interest. Competitors may have interest in the deal failing. Foreign adversaries may have interest in deal-sensitive information. Activists of either company or the combined company can increase in agitation level before or after announcements and close. This is increased significantly with layoffs, divestitures and especially rebadges.
For any acquisition with significant scale or public exposure, executive protection posture should be reviewed at deal announcement — covering travel security, residence security, and the personal device security posture of all deal-team principals.
What does M&A security look like for a church or faith-based organization?
Churches merge, split, acquire campuses from each other, dissolve denominations, and divest properties — and almost none of them treat it as an M&A event with security implications. Remember a church (entity, not the spiritual collective) is a BUSINESS first, legally.
When two congregations merge: whose background check database governs volunteers going forward? How do two access control systems become one? What happens to the financial controls during the transition? Who owns the data records — membership, giving history, counseling records — and how are they protected?
When a church acquires a building or other assets from another congregation, it is inheriting the security infrastructure of that building — and potentially the access credentials of everyone who ever had a key or a badge. A denomination dissolving has data governance, personnel security, and physical security questions that no one is currently asking. What if they are expanded from one location to now two locations.
The converged M&A security principles apply. The culture is BIG. The scale is different. The risk is real.
Written by Jim McConnell — 36+ years of converged security practice, including design and operations leadership for $30B+ divestiture and rebadging programs. See also: Converged Security FAQ, Converged Supply Chain Security FAQ.