Phase 1 — Pre-Merger Due Diligence
Complete before deal close. This phase is the most critical — gaps identified here are far cheaper to address than post-close.
Governance
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Identify GRC lead / integration owner | MediaTech GRC | Pre-close | |
| Establish joint steering committee (MediaTech + YourNews + MSP rep) | Both | Pre-close | |
| Define decision-making authority during transition | MediaTech Legal & GRC | Pre-close | |
| Document YourNews's current governance structure | YourNews | Pre-close | |
| Review YourNews board/management accountability for compliance | MediaTech GRC | Pre-close |
Risk Assessment
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Conduct technical security assessment of YourNews environment | MediaTech Security | Pre-close | |
| Identify all data YourNews holds (user, advertiser, content, contracts) | YourNews + GRC | Pre-close | |
| Map YourNews's regulatory obligations (GDPR, CCPA, press laws etc.) | Legal | Pre-close | |
| Review MSP contract — scope, access rights, termination clauses | Legal + GRC | Pre-close | |
| Assess MSP security posture (SOC 2, ISO 27001, or equivalent) | MediaTech Security | Pre-close | |
| Identify MSP subcontractors (fourth-party risk) | MediaTech GRC | Pre-close | |
| Determine if YourNews owns its data or if MSP controls it | Legal | Pre-close | |
| Check for ongoing audits, legal disputes or regulatory investigations | Legal | Pre-close | |
| Identify crown jewel assets — IP, proprietary content, subscriber data | Both + GRC | Pre-close |
Compliance
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Review YourNews compliance certifications (ISO, SOC, etc.) | GRC | Pre-close | |
| Compare YourNews compliance posture against MediaTech baseline | GRC | Pre-close | |
| Identify compliance gaps requiring remediation post-close | GRC | Pre-close | |
| Confirm data processing agreements are in place with MSP | Legal | Pre-close | |
| Check GDPR data transfer mechanisms (if cross-border data flows) | Legal + DPO | Pre-close |
Phase 2 — Day 1 Readiness (Deal Close to First 30 Days)
Immediate actions upon close. Focus on containment, visibility, and MSP relationship management.
Governance
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Assign single GRC integration owner — accountable end-to-end | MediaTech | Day 1–30 | |
| Formally notify MSP of merger and initiate contract review | Legal | Day 1 | |
| Define escalation path for security/compliance decisions | GRC | Day 1–7 | |
| Communicate merger to YourNews staff with compliance expectations | HR + GRC | Day 1–14 |
Risk & Security
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Document all MSP access to YourNews systems immediately | Security | Day 1 | |
| Freeze MSP access expansion — no new access to MediaTech systems | IT Security | Day 1 | |
| Separate YourNews and MediaTech networks until security parity achieved | IT | Day 1 | |
| Treat YourNews environment as untrusted until assessed | Security | Day 1–30 | |
| Onboard YourNews environment to MediaTech SIEM/monitoring | IT Security | Day 1–30 | |
| Deploy EDR on all YourNews endpoints | IT Security | Day 1–30 | |
| Rotate all shared/default credentials in YourNews environment | IT Security | Day 1–14 | |
| Identify and remove any temporary firewall rules or access exceptions | IT Security | Day 1–14 |
Compliance
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Notify relevant regulators of merger if required | Legal + DPO | Day 1 | |
| Classify all YourNews data under MediaTech's data governance framework | GRC + DPO | Day 1–30 | |
| Ensure GDPR obligations for YourNews user data are transferred/maintained | DPO + Legal | Day 1 | |
| Review active YourNews contracts for change-of-control clauses | Legal | Day 1–14 |
Phase 3 — Integration (30–180 Days)
Systematic alignment of policies, vendor contracts, and compliance posture across both entities.
Governance & Policy
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Decide which policies govern merged entity — MediaTech, YourNews, or combined | GRC | 30–90 days | |
| Roll out MediaTech policies to YourNews staff with formal sign-off | HR + GRC | 30–60 days | |
| Establish unified risk register covering both entities | GRC | 30–60 days | |
| Set up recurring GRC review cadence for integration progress | GRC | 30 days+ |
Vendor / MSP Management
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Conduct formal vendor risk assessment of MSP | GRC + Security | 30–60 days | |
| Request SOC 2 Type II or equivalent from MSP | GRC | 30–60 days | |
| Renegotiate MSP contract under MediaTech's vendor standards | Legal + GRC | 30–90 days | |
| Add right-to-audit clause to MSP contract | Legal | 30–90 days | |
| Define SLAs, incident response obligations for MSP | Legal + IT | 30–90 days | |
| If exiting MSP — plan structured offboarding with credential rotation and data retrieval | IT + Legal | 60–180 days | |
| Confirm all MSP access is fully revoked upon contract end | IT Security | On exit |
Compliance & Controls
| Checklist Item | Owner | Timeline | Status / Notes |
|---|---|---|---|
| Run full gap assessment against MediaTech control framework across YourNews environment | GRC + Security | 30–60 days | |
| Remediate high-risk control gaps first (access, encryption, logging) | IT Security | 30–90 days | |
| Set target date for YourNews compliance parity with MediaTech | GRC | 30 days | |
| Conduct privacy impact assessment for merged data flows | DPO | 30–60 days | |
| Update data retention schedules to cover YourNews data | GRC + DPO | 30–60 days | |
| Conduct staff security awareness training for YourNews employees | HR + Security | 30–60 days | |
| Document lessons learned and update M&A GRC playbook | GRC | 180 days |
Key GRC Principles for This Merger
1
Assume the acquired company is not secure until proven otherwise.
Treat YourNews's environment as untrusted from Day 1. Verify everything before granting access to MediaTech systems.
2
The MSP is a vendor, not a team member.
The MSP had a contract with YourNews. They do not automatically have a relationship with MediaTech. Assess, renegotiate, or exit — but never inherit blindly.
3
Compliance obligations transfer immediately on close.
GDPR, data retention, licensing — all of it becomes MediaTech's liability the moment the deal closes. Own it early.
4
Network integration is a security event.
Never connect two environments without achieving security parity first. Temporary firewall rules must have expiry dates and named owners.
5
The gray zone is the danger zone.
The period between close and full onboarding is when attacks happen. Prioritise visibility (SIEM, EDR) in YourNews's environment before anything else.
MediaTech · GRC Integration Programme · Confidential