Workplace trust is key for the performance, innovation, and longevity of organizations. So, we found it interesting that the Harvard Business Review reported 58% of respondents trusted strangers more than their own bosses. This is likely not the case with community financial institutions (CFIs) as they are more in-sync with their staff, but interesting information nonetheless.Trust is also important in merger and acquisition deals, which have been booming lately. Indeed, by the end of September 2021, M&A activity among US banks was already nearly double the total deal value of mergers for the entire year of 2020, according to S&P Global Market Intelligence. As we noted in our BID article, Bank Merger Deals Hit $52B – How Will Community Banks Fare, it is not just the big banks doing deals either. The activity includes community banks and credit unions pairing up as well as community banks buying other community banks. The strategic merger can expand local presence, boost scale, and provide operational efficiency. But given all the moving parts of a merger — technologically, managerially, operationally, and more — CFIs must be on their guard to protect against particular cybersecurity vulnerabilities that can arise specifically during M&A. Three cyber risks
- Increased risks of business email compromise. When two CFIs come together, there is often a long period where the employees and even the executives from both institutions are adjusting to each other and attempting to accommodate each other. This presents the perfect environment for a wily bad actor to impersonate an executive from the one CFI, requesting important data or the release of funds by an executive of the other CFI. In the interest of a harmonious partnership, the usual due diligence may be skipped. To avoid this issue, both institutions should inform their IT teams of this potential risk and communicate appropriately with employees from the earliest possible point.
- The merger of systems. When CFIs come together, so too must their networks, their data, and their multiple front- and back-end systems. As this integration is taking place, there are typically a number of moving parts internally at both institutions and their respective third-party core providers, as well as with other technology vendors. Since these integrations can go on for upwards of six to 12 months, this can present a myriad of opportunities for cybercriminals to exploit the transition. Both IT teams should be communicating well to prevent this too.
- Unhappy employees. Mergers usually mean greater efficiencies, but they can also lead to employee layoffs or reassigning some managers or executives to a position below their previous one. This can hurt egos and potentially lead to malicious insiders (especially those recently let go). While your HR teams are involved from the early stages of M&A, it is important that they act on any issues of this kind promptly, while IT teams should carefully monitor any suspicious actions and remove all access points for laid-off employees swiftly.
These potential bank merger cyber risks should be on your radar, if you plan for any type of merger or acquisition. Make sure to have a strategy in place that incorporates both these potential perils and the ways to prevent them. This preemptive plan could save you not only time and money, but also reputation.