The Situation
MediaTech is acquiring YourNews. YourNews does not have an internal IT department — their IT is fully outsourced to a third-party managed service provider (MSP). This adds a layer of complexity during merger integration because MediaTech isn't just inheriting YourNews's systems. They're inheriting a vendor relationship, vendor contracts, vendor access, and vendor risk.
YourNews's IT vendor has significant access and control. MediaTech is acquiring YourNews — but the MSP still holds the keys. That needs to be addressed before Day 1.
Phase 1 — Pre-Merger Due Diligence
This is the most important phase. Most GRC failures in mergers happen because this phase is rushed or skipped entirely.
What MediaTech Needs to Find Out About YourNews
- What data does YourNews hold? (user data, advertiser data, content licences, contracts)
- What regulations apply to YourNews? (GDPR, CCPA, press freedom obligations, data retention laws)
- What policies does YourNews have — and are they actually followed or just on paper?
- What compliance certifications, if any, does YourNews hold?
- Are there any ongoing audits, legal disputes, or regulatory investigations?
Specific to the Outsourced IT (MSP)
- Who is the MSP? What is their contract with YourNews?
- What access does the MSP have? (admin rights, remote access, data access)
- Does the MSP have their own subcontractors? (fourth-party risk)
- Is the MSP compliant with any recognised framework — SOC 2, ISO 27001?
- What happens to the MSP contract post-merger — does it auto-renew, can MediaTech terminate it, is there a lock-in period?
- Does YourNews even own their own data, or does it sit in MSP-managed infrastructure?
Phase 2 — Day 1 Readiness
The merger is announced or closed. Now things move fast. From a GRC standpoint, the priorities are:
Governance
- Assign a clear owner for GRC integration — one person or team accountable, not split between both companies
- Define who has decision-making authority during the transition period
- Establish a joint steering committee with representation from MediaTech, YourNews leadership, and the MSP
Risk — MSP Transition
- Immediately review what access the MSP has and document it
- Do not expand MSP access into MediaTech's environment — keep the two environments separate until a proper assessment is done
- Notify the MSP formally that a merger has occurred and that their contract is under review
- Determine whether MediaTech wants to retain, renegotiate, or exit the MSP relationship — and set a timeline for that decision
Compliance
- Map YourNews's compliance obligations against MediaTech's existing compliance posture
- Identify any gaps — if MediaTech is ISO 27001 certified but YourNews has no equivalent, YourNews's environment cannot be treated as equivalent until it's brought up to standard
- If YourNews handles any EU user data, GDPR obligations transfer — MediaTech now owns that liability
Phase 3 — Integration
This is where GRC does the actual heavy lifting of making one organisation out of two.
Policies & Procedures
- Decide which set of policies governs the merged entity — MediaTech's, YourNews's, or a new combined set
- YourNews staff need to be onboarded to MediaTech's policies formally — training, sign-off, acknowledgment
- The MSP needs to operate under MediaTech's vendor management policy, not a legacy YourNews handshake agreement
Vendor Risk Management — The MSP
- Conduct a formal vendor risk assessment of the MSP as if onboarding them as a new vendor
- Request SOC 2 report or equivalent evidence of their security controls
- Renegotiate or replace the contract — it should reflect MediaTech's standards, SLAs, data handling requirements, and right-to-audit clauses
- If MediaTech decides to exit the MSP, plan a structured offboarding — ensure all credentials are rotated, all data is retrieved, and all access is revoked before termination
Data Governance
- Classify all data that YourNews holds — what is sensitive, what is regulated, what is business critical
- Establish clear data ownership — who is responsible for what data now that the two companies are merging
- If YourNews data lives in MSP-managed infrastructure, plan the migration to MediaTech-controlled infrastructure with a clear timeline
Audit & Controls
- Run a gap assessment against MediaTech's existing control framework across YourNews's environment
- Prioritise closing the highest-risk gaps first — access controls, logging, data encryption
- Set a target date for YourNews's environment to reach compliance parity with MediaTech
The Outsourced IT Factor — The Key Principle
Throughout all phases, the MSP should be treated as a third-party vendor under review, not as a trusted internal team. They had a relationship with YourNews. They do not automatically have a relationship with MediaTech.
Until a formal vendor assessment is complete and a new contract is in place, the MSP's access should be monitored, documented, and limited to what is strictly necessary to keep YourNews's operations running.
Roles & Responsibilities
| Who | What They Own |
|---|---|
| MediaTech GRC / Security Team | Overall integration governance, risk assessment, compliance mapping |
| YourNews Leadership | Stakeholder coordination, policy sign-off, MSP relationship management |
| MSP | Continuity of YourNews operations, cooperation with assessment, contract renegotiation |
| Legal (both sides) | Contract review, regulatory obligations, data transfer agreements |
| Joint Steering Committee | Decision escalation, timeline accountability |
The Simple Version
Fine and secure are not the same thing.
Treat them accordingly from Day 1.
GDPR, data retention, licensing — all of it transfers immediately. Own it early.
GRC Integration Checklist
All three phases broken down into trackable actions — with owner, timeline, and status columns for every item.