Risk: How to securely and quickly interconnect/integrate the two firms while still protecting the combined information assets and business processes?  By connecting the two firms, the acquirer potentially expands its network perimeter to that its acquisition. 

Risk: Employees or affiliates of the acquired firm become internal users increasing their ability to potentially harm SSC assets,  particularly if they are disgruntled about the acquisition and are privileged IT users.

Opportunity: Identify and help retain talented security staff and best practices within the acquired firm.

Conducted a PSA for a Fortune 500 financial services firm which had acquired another financial services firm for +$4B.  KoreLogic performed external and internal penetration testing of the acquisition and their hosting providers.

Conducted a PSA for a large financial services firm which had acquired a strategic consulting firm.  We are performed external pen testing, internal pen testing, Active Directory integration review, security operational practices review and VoIP testing.   

Pre-acquisition audit--to gauge risk and the expense to correct flaws (allows acquiring company to factor this into the purchase price and to estimate post-acquisition resources to take corrective action).

Application security assessments of key software products or business-critical applications of the acquired firm (to gauge risk and the expense to correct flaws).

Forensics - when there is concern about disgruntled employees, concern about theft of intellectual property, etc,

Post-acquisition threat monitoring - monitor for suspicious user activity when there is concern about disgruntled employees and/or the acquired firm's security posture is weak. 

Interconnection architecture review - review of the client-developed interconnection plan to acquisition (e.g.,  access points to public networks, business partners, vendors; how access is controlled, threat monitoring capabilities)