Heidi Maher

Four Ways Information Governance can protect M&A Value

While the world waits to see the potentially transformative impact of the CVS acquisition of Aetna (assuming it isn’t [ultimately] blocked), CVS’s CIO is likely thinking about the major data integration hurdles he will need to overcome to attain the value sought by the transaction.

Many other companies will face these same challenges because M&A activity is now big business. Bain & Co. estimates M&A deals totaled $3.4 trillion globally in 2018, with about half those deals involving a company that obtained new capabilities or access to new markets from the acquired business. Based on my discussions with data and information experts from major enterprises, here are the top four ways information governance can help organizations meet the data integration challenges they will almost certainly encounter.


While due diligence is always a critical topic for M&A deals, in the past, it focused primarily on legal and financial records. Today, due diligence must encompass regulatory impact, human resources, environmental effects, customer outlook, industry reputation, internal compliance, and information technology. This broader scope makes due diligence ever more challenging, as does the massive amount of data from multiple sources that must be accessed, authenticated, and reviewed, which can clog the due diligence process.

To overcome this, organizations must have in place a solid integration strategy and a mature IG program that ensures cross-functional communication. Due diligence teams must also rely on advances in technology, including machine learning and predictive analytics, to help them accelerate and better manage the process while providing additional security.


A 2017 West Monroe survey of senior global executives found cybersecurity continues to be a major M&A issue, both before and after the deal closes, with over 50% discovering a cybersecurity issue after closing a deal. And those surveyed cited security as the No. 2 reason why M&A deals fall apart.

To avoid this, an acquiring company must extend its IG smarts to the target company in order to fully examine the target’s IT and data security policies, including how the target gathers personal or sensitive information, how this data is used and stored, whether it is encrypted or otherwise protected, and when and how data is destroyed. It is equally important to understand where data is physically stored and on what systems and the types of cyber- or data-related insurance policies the target maintains.

While a primary goal of cyber due diligence is to avoid taking on potential data breach-related liability, including for those in the past, parties should understand that providing another party (such as an acquirer in an M&A transaction, along with financial institutions, consulting companies, law firms, vendors, etc.) with private customer or employee information or other sensitive data, can violate privacy regulations and increase the risk of a data breach. This means every third party receiving or storing sensitive data must be carefully vetted for privacy and security policies and procedures.


The CVS-Aetna deal is the perfect example of a culture clash. CVS is a retail company that processes millions of transactions for millions of individuals. Aetna relies on corporate purchasing from thousands of corporate customers. IG stakeholders are essential to bridging this divide. For example, to support data integration, the acquiring company must retain target company subject matter experts who know where data is located and the data habits of the employees. This knowledge is essential for successfully combining IT functions without introducing significant business disruption.


The only way to fully and rapidly benefit from analytics performed on data acquired from a target company is to make sure only relevant, high-quality data is added to the existing data lake. Following an acquisition at a bank I worked with a few years ago, executives demanded rapid integration of the new data, and they were so concerned about the possibility of losing some important information that they insisted on importing everything. However, this resulted in mountains of irrelevant and non-sensitive personal information (such as vacation photographs) being ingested, requiring significant time and money for a post-integration clean-up.

So, it is essential not to rush. Instead, the acquiring company’s IG program must be extended to the new data to ensure only relevant, high-quality information from trusted sources is integrated.


We will be watching the progress of the CVS-Aetna integration closely because the lessons learned will certainly benefit the entire industry. Meanwhile, M&A shoppers must focus on understanding all the risks associated with a target company’s data. If a buyer can’t use some of a target company’s assets because of privacy, healthcare, financial, or other regulations, or if the acquiring company cannot ensure only relevant, high-quality data is integrated, the future value of the deal could be completely undermined.

These data integration challenges may feel overwhelming, but companies focused on maturing their own IG programs will be in a far better position to identify the potential risks in the target company’s data, enabling smarter decisions before, during, and after an M&A transaction.

Posted in , Tagged with , , ,
Heidi Maher

Heidi Maher

Heidi Maher is an attorney and IG specialist who has helped hundreds of organizations move from theory to practice. Presently, she is the Sr. Director of Privacy and Compliance at Epiq. Previously she was the Executive Director of the Compliance, Governance and Oversight Council. Before moving into the commercial space, Heidi was a felony prosecutor, civil litigator, an assistant state attorney general and the public information officer for a large environmental agency.

Leave a Reply

Print and Digital Editions

Read Our Digital Edition

Scroll to Top