Six identity security risks in M&A – and how to mitigate them

Mergers and acquisitions (M&As) are exciting growth opportunities, but they also come with hidden cybersecurity pitfalls. One big challenge is identity security – managing who has access to what across two merging companies. 

A research report published in 2023 found that the risk of a cybersecurity incident is twice the average during a merger or acquisition. A survey by Forescout among global business leaders found that 65% of executives regretted an acquisition after discovering post-merger security issues​.

Based on Unosecur’s client consulting experience and industry analysis, here are the six most common types of identity-related security risks that often arise during M&As. Whether you’re a business leader, IT pro, or security expert, the following guide will help you keep identities secure and deals on track.

1. Disparate identity systems and tools

Merging companies rarely use the exact same identity and access management (IAM) systems or security tools. One company might rely on a modern cloud directory while the other runs a legacy on-premises Active Directory – and their policies and configurations can differ wildly. These inconsistent identity solutions make integration tricky. If not handled carefully, mismatched authentication methods or misaligned user directories can create security gaps where bad actors slip in. Getting two IT environments to speak the same language is complex and, without a unified strategy, vulnerabilities can emerge during the transition.

By using Identity Security Posture Management (ISPM) and strong IAM Ops to assess and reconcile both companies’ IAM frameworks in advance, organizations can mitigate this risk.

2. Elevated identity attack surface

When two companies become one, you suddenly have more of everything: more user accounts, more administrators, more devices, and more applications. This merger multiplies the identity attack surface – the sum of all possible entry points attackers could target. If Company A had 1,000 user accounts and Company B had 1,000, the new entity now has 2,000 identities to secure (plus all their access rights). The number of privileged accounts (like IT admins) also jumps, which means more high-value targets for hackers. Integrating diverse cloud services or third-party platforms can further expand this surface. The bottom line: a merger gives attackers a bigger playground unless security teams quickly gain visibility over every identity in the combined environment.

Tailored solutions like Privileged Access Management (PAM) to rein in admin accounts and Identity Threat Detection and Response (ITDR) to monitor anomalous logins can help tame an expanded identity landscape.

3. Unverified and provisional access

During an M&A, it’s “all hands on deck” – employees, contractors, and consultants from both sides often need fast access to each other’s systems to keep the business running​. In the rush, companies might hand out user accounts or VPN access before doing thorough vetting or applying normal security checks. These unvetted identities and temporary access arrangements can become a hacker’s dream. If someone is given broad access “just for now” without the usual approvals, or if a contractor’s background isn’t fully checked due to time crunch, you could end up with over-privileged users or even malicious actors on your network. The merger frenzy can blur the principle of least privilege (only giving minimum necessary access), increasing the chance of unauthorized data viewing or changes.

ITDR tools can spot suspicious behavior from these new accounts, and robust IAM operations (IAM Ops) procedures – like just-in-time access and mandatory MFA for all new users – ensure that even in a rush, no identity goes unverified.

4. Role ambiguities and duties segregation challenges

Who watches the watchers? In well-run companies, critical tasks are split between roles – a principle called Segregation of Duties (SoD). For example, the person who requests a payment isn’t the same person who approves it. This prevents fraud or errors by ensuring no single individual has too much control. But in a merger, org charts get jumbled and people often wear multiple hats, at least temporarily. An employee might inadvertently end up with two roles that conflict, giving them the power to bypass a key check and balance. These SoD conflicts are dangerous: they could let an insider transfer money, manipulate financials, or commit fraud without needing a second approver. During M&A chaos, manual oversight struggles to keep up with everyone’s changing roles, and that’s when mistakes happen.

To mitigate SoD issues in mergers, companies should leverage IAM Ops with strong governance (often via Identity Governance and Administration tools) to auto-flag conflicting roles. Regular access reviews and involvement of Compliance teams in the access certification process can ensure no one slips through with toxic access combinations. In short: trust, but verify – with software looking over each shoulder.

5. Regulatory and compliance vulnerabilities

Merging organizations means merging compliance obligations – and that can be a minefield. Perhaps one company is used to strict GDPR privacy rules (common in Europe) while the other primarily dealt with U.S. regulations like HIPAA or SOX. When they combine, misaligned governance, risk, and compliance frameworks can leave gaps. Data might start flowing to places it shouldn’t, or certain security controls required by law might be inadvertently dropped. If regulators come knocking and find that during the merger you failed to maintain required safeguards, the new entity could face fines, audits, or legal troubles. Ensuring compliance across two different corporate rulebooks is critical but challenging – and if it falls through the cracks, the consequences can be costly.

The best defence? Bring in the compliance experts early. Merging companies should compare their regulatory requirements and adopt the stricter standards of the two across the board. Services like ISPM can map controls against frameworks, and dedicated compliance management plus regular audits will keep the merged entity on the right side of the law.

6. Inherited security compromises and breached credentials

An especially nasty surprise in M&A is the possibility that the company you’re acquiring is already compromised. If the target company suffered a data breach or had threat actors lingering in its systems, those problems become yours after the merger. This risk is two-fold: inherited breaches (undisclosed or undetected incidents that happened pre-acquisition) and inherited weak security practices (like poor password policies or outdated encryption) that come along for the ride. Perhaps the most infamous instance was Marriott’s acquisition of Starwood in 2016. Attackers had been inside Starwood’s reservation system since 2014, and they continued siphoning data until 2018, well after the merger, stealing information on up to 500 million guests​. Marriott faced lawsuits, reputational damage, and huge regulatory fines as a result. 

To mitigate inherited risks, an acquiring company should invest in ITDR capabilities and thorough security assessments before and immediately after the merger closes. Engaging specialized ISPM services to evaluate the target’s identity security posture can reveal weak spots (e.g., lots of users with old passwords or admin accounts with no MFA). And of course, ensure that robust compliance clauses are in the deal – if the seller conceals a breach, there should be legal recourse. 

In summary, ensure that your identity security and compliance partner assumes the worst and hunts for it: you don’t want to buy a breach along with a business.