The Billion-Dollar Blind Spot In India's M&A Boom

India's mergers and acquisitions landscape is experiencing unprecedented momentum. With M&A activity growing by 38% in 2024 and 2,186 deals totalling $116 billion, Indian conglomerates are aggressively expanding market reach and diversifying offerings.

High-profile acquisitions like Reliance-Disney, Tesla-Tata Electronics, and Air India-Vistara showcase this ambition. Yet, beneath the financial projections and synergy calculations lies a critical factor that can make or break these ventures: Identity security.

As boards evaluate acquisition targets, financial metrics and operational compatibility typically dominate discussions. Less visible, but potentially more devastating are identity vulnerabilities that come with each acquisition.

Consider this sobering reality: India ranks as the second most targeted nation for cyberattacks in 2024, with the average cost of a data breach reaching an all-time high of Rs 19.5 crore. More alarmingly, 80% of these breaches stem from identity-based attacks.

For companies engaged in M&A, the risk multiplies. Each acquisition brings its own identity ecosystem, employees, partners, contractors, and systems, potentially introducing compromised credentials, excessive privileges, and outdated access controls into the organisation. A recent study revealed that 40% of data breaches during M&A result from compromised third-party suppliers and ransomware attacks. Beyond financial impact, these breaches erode customer trust, with 42% of consumers unwilling to continue using services after a security incident.

Successful M&A security requires addressing identity across the entire acquisition lifecycle.

Before acquisition, smart acquirers conduct identity security posture assessments alongside traditional due diligence. This uncovers whether privileged accounts are properly secured, if former employees retain system access, and whether identity governance aligns with regulatory requirements like the Digital Personal Data Protection Act.

During integration, identity systems must consolidate without creating security gaps. This phase demands universal directory implementation and governance controls to ensure appropriate access as roles change. The most successful M&As implement a converged identity platform that breaks down barriers between merging organisations.

After consolidation, continuous monitoring becomes essential. Organisations must implement identity threat protection, leveraging AI to detect anomalous behaviour and deploy universal logout capabilities to rapidly respond to compromised credentials, creating a security perimeter that focuses on people rather than network boundaries.

As Indian businesses continue their acquisition strategies, identity security deserves boardroom attention. Forward-thinking organisations must integrate identity assessment into M&A due diligence, with focused evaluation of privileged access controls and potential credential compromises. This evaluation should be considered as fundamental as financial audits.

Indian businesses face unique regulatory challenges that make identity governance even more critical. Leveraging identity governance helps address India's unique regulatory landscape, particularly the data protection requirements under the Digital Personal Data Protection Act. This proactive approach prevents costly compliance issues post-acquisition.

In today's competitive landscape, M&A drives growth through globalisation, new products, and expanded customer reach. But as an organisation grows through acquisition, remember this fundamental truth: identity security isn't just about preventing breaches, it's about creating the foundation upon which successful business integration can occur.

For boards and risk teams navigating India's dynamic M&A environment, vetting an acquisition target's identity security posture isn't just good cybersecurity practice, it's a non-negotiable business strategy.