7 access management challenges during M&A

Integrating an acquired company into a single organization is a daunting task that can take weeks, months, or even years to complete. To have a successful conclusion to the mergers and acquisitions (M&As) process, identity and access management (IAM) teams need time to prepare, test, and communicate with users to ensure the process goes as smoothly as possible.

M&A access management

But what happens to all those identities when companies abruptly close their doors or acquisitions take place overnight with little or no warning?

This is happening in the banking industry today. Over the course of just three days in March, three small- to mid-size banks in the United States collapsed: Silicon Valley Bank (SVB) became a bridge bank before being acquired, Silvergate Bank underwent voluntary liquidation, and Signature Bank closed prior to being acquired. In early May, First Republic Bank was also abruptly acquired. While the impact to the financial markets is considerable, these buyouts and closures also pose risks to organizations and employees — not to mention partners and customers.

Sudden closures and M&As cause heightened threats

Financial data is, by its very nature, extremely sensitive, and the regulatory environment is complex and rigorous. While there are many serious considerations from the business perspective, there are also many potential risks related to identity and data, including:

1. Unauthorized access: During a rapid transition, there is often temporary confusion regarding who has access to sensitive data. This may lead to unauthorized data access or breaches, and the exposure of sensitive customer information may result in identity theft.

2. Data transition: Transferring customer data from one entity to another during an acquisition poses risk if it’s not properly managed. If there are any gaps in security during a rushed transition, cybercriminals may take advantage of the opportunity to steal sensitive data.

3. Phishing attempts: A bank closure or acquisition may be used as a ruse in phishing attacks. Cybercriminals may identify it as an opportunity to impersonate either the bank or the acquiring company to convince customers to reveal login credentials or other sensitive information.

4. Regulatory compliance: Banks must adhere to a wide range of federal acts and strict regulations. When a bank closes or is acquired, it’s critical that the transition process complies with all relevant regulations to protect customers’ identities. Unfortunately, this may not happen during a crisis.

5. Employee access: When a bank suddenly closes or is acquired, many employees may lose their jobs. Unhappy former employees may misuse customer data if their access to banking systems is not promptly and properly revoked. At the same time, it’s also important to continue providing access to key systems and data for the employees who remain with the business.

6. System integration: During an acquisition, integrating multiple systems is a complex process. Unless systems are properly integrated, vulnerabilities may be created that could be exploited to gain unauthorized access to customer data.

7. Communications: Sudden closures or acquisitions require clear and rapid communications with customers, employees, and partners. Lack of communication can lead to reputational damage, loss of business for the acquirer, and scams targeted at all parties involved.

Minimizing identity threats

You should not wait to address potential threats until right before a business closure or M&A event.

Organizations can take several steps to minimize these threats, but it takes time and planning to address them effectively.

1. Create an access management and authentication plan: A comprehensive plan includes procedures for creating, managing, and deleting user accounts, authentication methods, access controls, and data security. Review the plan regularly and keep it up to date to reflect changes in the organization’s structure and operations.

2. Use next-gen authentication methods: Passwords are frequently the weakest link in security chains because people tend to reuse them or create ones that are easy to guess. Minimize threats by using authentication methods that are more difficult for attackers to compromise. Continuous authentication can, for example, increase security by monitoring and verifying a user’s identity throughout a session to detect unauthorized users — even if they initially authenticated with the correct credentials.

3. Conduct risk assessments: Risk assessments identify potential threats to identity and data security. Include an analysis of the organization’s IT infrastructure, systems, and data, as well as an evaluation of the risks associated with third-party vendors and partners.

4. Monitor identity-related activities: Monitor activities, such as user access and authentication attempts, to detect and prevent unauthorized access and data breaches. Security information and event management (SIEM) systems and similar solutions can help with monitoring. Some next-gen authentication methods also provide monitoring of user behavior and access patterns.

5. Communicate & educate: Employees, partners, and customers need to know about what is happening and any potential impacts, regardless of whether it’s related to a closure or acquisition. Communication should be clear, timely, and transparent. Training on adopting different authentication options, avoiding phishing scams, and other best practices for identity and data security can help minimize identity threats in any situation.

6. Create a transition plan: A detailed transition plan outlines how data will be transferred, who will have access to it, and how customers will be affected. This plan must be developed collaboratively with all relevant stakeholders and take legal and regulatory requirements into account.


During the transition period of a business closure or acquisition/merger, maintaining business continuity and security is critical. Identity and access management is critical to achieving both, allowing organizations to manage and protect the identities and data of all their stakeholders even during unexpected business upheaval.

Organizations should leverage a combination of methods to provide a multi-layered defense against unauthorized access. Authentication of users is one of the most important. The appropriate authentication method depends on numerous factors, such as the sensitivity of the information being accessed, user preferences, and the organization’s technological capabilities.

Don't miss