Your Vendor Just Got Acquired, So Now What?

Mergers and acquisitions can occur unexpectedly, causing uncertainty about your vendor relationship. You may have many questions if your vendor has recently announced its acquisition. Depending on the details, there may even be a sense of urgency to change or end the vendor relationship. Consider these next steps that can help guide you in deciding the future of your vendor relationship.

Vendor Acquisition Next Steps: What You Should Do and How You Should React

On the surface, an acquisition isn't inherently good or bad. Sometimes, it can indicate a positive shift for both parties, bringing greater resources to your organization. Other times, it can be a sign of financial difficulties for the acquired vendor.

These steps can give you more clarity about how to respond to the acquisition:

1. Review the vendor contract. Your contract may have language about early termination due to acquisitions, so it's essential to review it early with your legal team and know your options. You'll be better informed and prepared to act if you're familiar with your contract. 
2. Recognize the acquirer as a new vendor. The company that has acquired your vendor should be considered a new vendor in your inventory, which means completing an inherent risk assessment. It's important to distinguish the acquiring company as a new vendor since your organization likely has no existing relationship. 
3. Perform due diligence. The scope of this step will depend on your vendor's relationship with its acquirer. In other words, were the vendor's operations and assets absorbed by the acquiring company, or will the vendor be independent?
    
   • Absorbed during acquisition – You'll need to perform a new round of due diligence on the acquiring company to evaluate its controls and ensure they're effective.
   • Acquired, but independent – You should review some of the higher-level details of the acquiring company. This review should typically include doing a reputation and Office of Foreign Assets Control (OFAC) check and reviewing the ownership structure. Your ongoing due diligence views of the acquired vendor will generally remain the same.
4. Review your vendor's business continuity (BC) plan. Verifying that your vendor's BC plan has been updated to include the acquiring company is important. The plan may also need to be retested to ensure the vendor can continue delivering products or services to your organization.
5. Update your exit strategy. Ideally, the acquisition will go smoothly for both parties, and you can continue the relationship without any significant changes or disruptions. However, an acquisition can sometimes create adverse outcomes, such as a decline in service levels or decreased spending on production development. It's important to plan for an exit just in case the acquisition isn't beneficial to your organization.
6. Continue to monitor. Ongoing monitoring should already be included in your overall third-party risk management program, but this step is especially critical after your vendor is acquired. Pay close attention to any changes in performance or risk so you can address them quickly before they create more significant problems. 

Red Flags to Watch Out For With Vendor Acquisitions

If you decide to continue the engagement with the acquiring company or the acquired vendor, you'll want to be aware of some red flags. The following signs can indicate that it's time to reevaluate the relationship:

• Price increases – Unexpected price increases could indicate that the vendor is struggling financially. Poor financial performance can ultimately elevate other risk types if the vendor cannot invest in things like product development or cybersecurity tools.  
• Discontinued product or service – Sometimes, an acquisition can shift business priorities, causing a vendor to discontinue certain products or services. This situation can cause concern if your organization relies on these products or services for a critical business function. 
• Decline in quality – If you notice a sudden decline in the vendor's customer support or service quality after the acquisition, you may need to reconsider whether the relationship is worth continuing. 
• Reduced staff – It's not uncommon for an organization to reduce staff after an acquisition, but be aware of which teams were affected. For example, a reduced information security team can expose your organization to security risks.

A vendor acquisition can create many changes quickly, so you'll want to research and plan for any potential consequences that can impact your organization. Staying vigilant through ongoing monitoring and regular due diligence reviews can help ensure that your vendor relationship will continue to provide value.