Current events · 4 MIN READ · SCOUT SCHOLES · JUN 13, 2025 · TAGS: Webinar
TL;DR
- Recently, Expel & Visa joined forces for a chat on the security of mergers & acquisitions (M&A), and how to make the transition as smooth as possible for everyone involved
- Get tips from seasoned experts, including Ilaiy Elangovan, Head of Product Development & Innovation at Visa, and Expel’s own Peter Katz, VP & General Counsel, and Lauren Horaist, Director of Product Management
- You can watch the full conversation here
In the fast-paced and highly regulated world of financial services, mergers and acquisitions (M&A) can be both a strategic necessity and a significant challenge. Recently, Expel hosted a virtual roundtable to discuss ways to stay secure during M&A transitions. The roundtable included:
- Ilaiy Elangovan, Head of Product Development and Innovation, Visa
- Lauren Horaist, Director of Product Management, Expel
- Peter Katz, VP & General Counsel, Expel
During the session, the three dove into the complexities of M&A and shared their insights on how to navigate these processes while maintaining robust security and compliance.
Here are four key takeaways from the discussion.
1. Effective communication and collaboration are crucial for navigating the complexities of mergers and acquisitions in financial services.
“It’s the cross collaboration and the early and continuous communication between internal teams that are responsible for completing the due diligence, from security to legal, finance, accounting, and HR.” said Katz. This collaborative approach is critical to address the dimensions of M&A. Security teams have to closely partner with various business and legal teams to understand (and achieve) the broader goals of the acquisition.
“Security cannot operate in a vacuum during an M&A deal. We have to understand what the business drivers are for the acquisition and align our security strategy to partner with the business and help them understand how to prioritize all the risks,” Elangovan explained. This alignment ensures that security measures are integrated seamlessly with business objectives, and that all stakeholders are aware of the necessary security protocols from the outset.
The key to successfully doing so? Clear roles and responsibilities throughout the entire process. Without those, it doesn’t matter how hard your security team works—M&As can’t (and won’t) happen within just one team.
2. Identifying and addressing undisclosed breaches and compliance issues early can prevent significant roadblocks in M&A transactions.
It’s critical to uncover and address undisclosed security breaches and compliance issues early in the M&A process to avoid potential deal-breaking complications. Katz pointed out, “There are obviously a number of areas where we need to focus, but I think two main areas are undisclosed breaches and severe non-compliance with regulatory or legal requirements.” These issues specifically can lead to unexpected liabilities, delays, and reputational damage, which can severely impact the deal’s success.
An additional consideration Horaist mentioned was the importance of understanding the security maturity of the target company as well, noting, “Sometimes if you’re dealing with earlier stage companies, they just maybe don’t have the same operational rigor as someone like a Visa, right? And they don’t even know what their risks are.” And while perfection isn’t expected, having a baseline understanding of the target’s security practices and vulnerabilities is crucial for risk management.
3. Utilizing MDR services and incident response plans can enhance post-acquisition security.
Once the deal is closed, securing the newly integrated environment becomes a top priority. There are several tools and practices to help with this part of the process, such as managed detection and response (MDR) services and AI, to give you quick visibility (and support) in the new infrastructure. Bonus points if your MDR service provider has 24×7 support for this, too (because M&As may happen during business hours, but attacks don’t).
Incident response plans may also be helpful here as well. Having those plans in place—and testing them regularly against real-world scenarios prior to the M&A—enables orgs to respond swiftly and effectively to security incidents, which is crucial for maintaining the integrity of the merged or acquired entities.
4. Trusting your instincts and asking difficult questions early can mitigate future issues in M&A.
Across the board, the panelists agreed on the importance of trusting your instincts and addressing concerns proactively during the due diligence phase of an M&A. Katz advised, “It’s really important to ask the questions and have the difficult conversations early in the process because they are inevitably going to come up. And the closer you get to the deal happening, the more challenging it can be to actually deal with the issues you see.” While no one likes having these conversations, they’re truly crucial for identifying and resolving potential red flags before they become deal-breakers.
And we can’t forget good communication. “Keeping everyone informed is critical. We talk through the right vulnerabilities so we have visibility into our infrastructure, our parameters’ secure compliance is maintained, and [we] protect the data.” Elangovan shared about Visa’s experiences. It’s fair to say that if you take one thing away from this conversation, it’s that good communication goes a long way, whether it’s with the people you’re merging with or acquiring, your internal business partners, or your security vendors—keep it transparent and honest across the board to facilitate the smoothest transition possible.
Criteria for a smooth transition during your M&A
So if you wanted a checklist for a smooth and secure transition throughout your M&A, it might look something like this:
- Surface undisclosed breaches and non-compliance to key stakeholders
- Set clear roles and responsibilities for all involved partners, whether they’re internal or external, for smooth sailing
- Take advantage of your MDR provider to help find any hidden vulnerabilities before they become a security risk, especially as integrations begin
- Understand the security maturity of everyone involved, and clearly identify the strengths and weaknesses at every level
- Take a risk-based approach that focuses on critical assets, including testing and preparing incident response plans ahead of time
- Communicate transparently—with everyone, at all times, at all levels
Again, you can find the full session here.
