Top Tips for Scalable M&A

A surge in M&A points to a strong market ahead but also opens up more organizations to being exploited.


Just earlier this week, PayPal announced its intention to acquire Japanese buy now, pay later (BNPL) firm Paidy. Law practice management software company Clio announced it’s snapping up Lawyaw, a legal document automation company. What’s more, last month it was shared that – despite the staggering economic impact COVID-19 continues to have on global economies and across industries at large – the M&A market has hit a new high in 2021. According to findings from financial market data provider Refinitiv, the total value of pending and completed M&A deals announced in 2021 has surpassed $3.6 trillion year-to-date – already blowing past the $3.59 trillion we saw in 2020 (for reference, that’s just over 35,000 deals to date in 2021 – a 24% jump over last year).

But although this surge in M&A points to a strong market ahead, it also opens up more organizations, individuals and supply chains to exponentially widening threat vectors as bad actors continue to emerge and exploit overlooked business risks. But M&A doesn’t need to be as technically risky as it’s once been.

Why M&A matters in 2021

M&A has long been a critical growth avenue for organizations of all shapes and sizes – enabling organizations to expand their customer base, diversify their products and services, and acquire new technology to further their competitive advantage in the midst of an increasingly fierce market. In fact, a recent PwC study found that 59% of business leaders are planning to allocate more funds to M&A activity in 2021 to achieve key business priorities.

But if not conducted correctly, M&A activity can cause companies to end up lagging or fatally succumb to poor cybersecurity practices – particularly in the realms of data and IT management. For companies to be effective and efficient in their M&A endeavors (whether it be reaching new audiences, bolstering current offerings, or expanding into new markets), it’s imperative that processes are in place proactively to minimize security risks, mitigate IT complexity, and ensure scalability throughout the entire process.

Making your M&A Activity Sustainable – and Scalable

Every organization is built differently – which means that as either the acquirer or acquiree, your organization will have its own business risks and processes to keep in mind should an M&A opportunity arise. But in general, here are a few of the things to keep in mind as you’re undergoing or assessing any potential business consolidation:

    • Do your due diligence ahead of time. When you’re acquiring another organization, or fusing its assets with your own, you’re not only acquiring their offerings, talent and customer base, you’re also acquiring their risk potential. Make sure that you’re auditing their cybersecurity posture and the structural integrity of their supply chain ahead of time. Because there’s nothing worse than projecting a couple million dollars in annual cost synergies, post-acquisition to stakeholders and investors, only to be hit with a hundred-million dollar data breach fine and a few billion in losses months later – Marriott can attest. Do your prep ahead of time to ensure, from both a risk and business perspective, you know what you’re getting yourself, your customers, and key business stakeholders into.
    • Don’t rush. Take your time with the consolidation process. The only thing worse than overlooking a critical security vulnerability or insecurity at the start of the M&A process is rushing to merge your critical and complex IT environments too quickly – particularly as bad actors continue to lurk and evolve in the cloud, waiting to exploit any gap in the M&A process. Don’t rush the process, and ensure security is top of mind throughout the journey. Because while time may be money, no merger is worth $3.5 billion in losses.
    • Risks don’t stop once the M&A is complete. Failing to modernize legacy applications, even and especially after the initial M&A activities are over, is a mistake far too many organizations make. The lesson here – don’t forget to modernize your legacy applications after the big rush of M&A activity is finished or you too could be in a data breach scenario that was “entirely preventable.” Complexity breeds risk – and there’s no environment that accommodates complexity more than M&A.

Though the outcomes of a ‘successful’ deal may be predicated on what it can do for business growth and success, a resilient M&A is most reliant on proper, secure execution of the IT integration. When organizations don’t take the time to properly prepare and consistently manage the integration, their lack of security can lead to massive compromises and unnecessarily large expenses down the road. In today’s business world, as M&A continues to surge and organizations look to increasingly execute competitive deals with increasing speed, it’s important to remember that the most scalable, sustainable approaches to M&A are the ones that are most proactive – and security-forward.


Brennan Sullivan is CIO of Quest Software. Sullivan is a hands-on executive leader experienced in driving change to foster innovation and improve business efficiency while reducing cost through process improvement, technology utilization, organizational restructuring, strategic outsourcing, and successfully leveraging offshore support models.