Telecommunications M&A in an evolving cyber environment

The Australian telecommunications market has undergone significant transformation in the last three decades.

A key driver has been the merger and acquisitions (M&A) activity that has seen telecommunications providers acquired, merged, and demerged in response to the changing market, and to optimise shareholder returns.

M&A activities, including demerging of business units, are complex at the best of times. In the telecommunications industry, which is subject to increasing regulation and scrutiny, not to mention customer expectations, it is even more challenging. Coupled with the evolving cyber threat landscape, there are many aspects of M&A telecommunications providers need to factor in when considering their next big move.

Legislative Obligations

Introduced by the Commonwealth Government in 2017, the Telecommunications Sector Security Reforms (TSSR) intend to maintain the confidentiality and integrity of data and information carried on telecommunications networks. The legislation requires telecommunications providers to maintain ‘competent supervision’ and ‘effective control’ over telecommunications networks and facilities owned or operated by them.

The Security of Critical Infrastructure (SOCI) Act, established in 2018, was recently expanded to now capture the telecommunications sector. The SOCI Act is focused on maintaining the availability of critical infrastructure assets. While the amended Act will not change Australian telecommunication providers’ requirement to comply with the TSSR, it has introduced new obligations that those who own and operate critical assets must also comply with.

One key SOCI requirement is that telecommunications providers must register their critical infrastructure assets with the Department of Home Affairs. They must also maintain a risk management plan for those assets which includes how the organisation is managing all the risks to that asset, one of which is cyber. And further obligation now in place compels telecommunications providers to report critical cyber security incidents within 12 hours of the entity becoming aware of the incident.

Compliance with these regulatory obligations becomes more challenging during what is known as the transitional period, when assets and networks are being transferred between owners, and one party may be providing services to the other, such as the seller providing the buyer access to internal networks and systems temporarily. This period is often characterised by staff joining or transitioning to new roles, as well as the evolution of new processes and/or the introduction of new ones.

Stakeholder Expectations

Australian consumers and businesses are highly reliant on telecommunication services and expect providers to safeguard their personal information. Transitional periods during M&A activities can make roles and responsibilities unclear, and regulatory compliance more burdensome. We know that swift identification of and response to cyber incidents is critical to effective recovery.

Confusion about who is responsible for what can delay response times, leading to poorer outcomes for organisations and their stakeholders – including customers.

Be Prepared

Early and detailed planning is critical. Identifying your key cyber security risks, having a clear understanding of how and when the merger or separation will occur, and who will be responsible for what during the entire transitional period, is critical for telecommunications providers to meet not only their regulatory obligations but also stakeholder expectations.

Organisations who expect to work through a transitional period should consider the development of a transitional incident response plan. This artefact should take into consideration all moving parts and changes during the transitional period.

At a minimum, this plan would be tested via a tabletop exercise before the transitional period commences.

As the cyber environment continues to evolve, telecommunication companies need to ensure they are keeping pace, or risk falling out of step with the expectations of regulators and customers.